bug#72283: Path traversal in gzip's -S option

bug-gzip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#72283: Path traversal in gzip's -S option

From:	Alex Stumpf
Subject:	bug#72283: Path traversal in gzip's -S option
Date:	Wed, 24 Jul 2024 23:59:33 +0200

Hi,

I just stumbled upon a "feature" that was probably not intended with the-S parameter:


  $ cat /tmp/importantfile
  important content
  $ gzip -f -k -S .d/../../tmp/importantfile /etc/ld.so.conf
  $ cat /tmp/importantfile
  <gzipped content of /etc/ld.so.conf>
  $

I.e., it is possible to create/overwrite files at arbitrary locations(provided the user has write permission) just by using gzip parameters.This is not an issue for systems with regular shell access, but e.g.someone who sets up a restricted shell or allows execution of gzip via aweb interface might not expect that behavior.

The command works because there is both an /etc/ld.so.conf file as wellas an /etc/ld.so.conf.d/ directory. So the resulting filename

/etc/ld.so.conf.d/../../tmp/importantfile is a valid path.

It's up to you whether you consider this a fix-worthy bug, but I thinkit wouldn't hurt to test whether compressed and uncompressed files arein the same directory.


Cheers
 Alex

[Prev in Thread]

Current Thread

[Next in Thread]

bug#72283: Path traversal in gzip's -S option, Alex Stumpf <=
- bug#72283: Path traversal in gzip's -S option, Paul Eggert, 2024/07/24

Prev by Date: bug#72050: TileBuilder gunzip Command using older version
Next by Date: bug#72283: Path traversal in gzip's -S option
Previous by thread: bug#72050: TileBuilder gunzip Command using older version
Next by thread: bug#72283: Path traversal in gzip's -S option
Index(es):
- Date
- Thread