On Sun, Dec 28, 2014 at 11:00:48PM +0300, Alexander Cherepanov wrote: > >Is your example something that is actually produced by another ar > >implementation? Or is it an example of a bad long file name that > >we don't handle properly? > > Yes, this is a constructed example of a malicious file. An attempt to > extract the contents of the archive will lead to creation of a file in the > root directory. It's usually agreed that unpackers and similar tools should > not by default touch files outside the working directory. The danger is in > overwriting sensitive files by an unconscious user or by an automatic > process. > > For similar examples please see > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 (tar), > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651 (patch). And I > recently reported the same problem in binutils: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737 . > > In case of elfutils the danger is mitigated by the fact that AFAICT only one > '/' is possible in a filename and only in the leading position. Hence only > files in the root directory can be written with this attack and only when ar > is executed by root.
Aha. I should have immediately guessed you were looking for something malicious :) Thanks for the explanation. And yes, the only '/' possible without your patch is at the start of the long name. > >BTW. For patches we require people to follow the guidelines in the > >CONTRIBUTING file (in particular we require a Signed-off-by line): > >https://git.fedorahosted.org/cgit/elfutils.git/tree/CONTRIBUTING > > Sorry, a better patch attached. The patch looks perfect and I agree with your analysis. Pushed as is to master. Thanks, Mark
