Re: sharutils: Directory traversal (security issue) in uudecode

bug-gnu-utils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sharutils: Directory traversal (security issue) in uudecode

From:	John Cowan
Subject:	Re: sharutils: Directory traversal (security issue) in uudecode
Date:	Mon, 28 Nov 2022 00:51:35 -0500

On Sun, Nov 27, 2022 at 12:30 PM Paul Eggert <eggert@cs.ucla.edu> wrote:

> Another possibility is to do as GNU 'tar' does, and warn about dubious
> file names starting with '/' or '~', while stripping leading prefixes
> (including anything ending in ".."), while retaining the current
> behavior if POSIXLY_CORRECT is set. uudecode could steal tar's code to
> do that.
>

Of course none of this really solves the problem: if the UUID is root and
the current directory is /, or the UUID is not root and the current
directory is the home directory for that UUID, an unsafe archive file can
damage the filesystem even if these protective features are in place.  This
applies to any unarchiver: cpio, pax, unzip, gunzip, etc. etc.  At most it
makes the problem less likely.

[Prev in Thread]

Current Thread

[Next in Thread]

sharutils: Directory traversal (security issue) in uudecode, Hanno Böck, 2022/11/27
- Re: sharutils: Directory traversal (security issue) in uudecode, Paul Eggert, 2022/11/27
  - Re: sharutils: Directory traversal (security issue) in uudecode, Paul Eggert, 2022/11/27
  - Re: sharutils: Directory traversal (security issue) in uudecode, Paul Eggert, 2022/11/27
    - Re: sharutils: Directory traversal (security issue) in uudecode, Hanno Böck, 2022/11/27
  - Re: sharutils: Directory traversal (security issue) in uudecode, John Cowan <=

Prev by Date: Re: sharutils: Directory traversal (security issue) in uudecode
Previous by thread: Re: sharutils: Directory traversal (security issue) in uudecode
Index(es):
- Date
- Thread