CVE-2021-28650: A malicious archive allows Directory Traversal during extraction in complex situations
Although I made an attempt to avoid extraction outside the destination dir recently (adb067e6), there are still some ways how to bypass those checks and some related issues e.g. with hardlinks:
-
When extracting, autoar_extractor_do_sanitize_pathname
doesn't correctly handle symlink in parents, whose target looks likeanothersymlink/..
, which still allows writing files outside of the destination. See file-roller#108 (comment 1032741) for more details. -
When extracting, there is a logic to remove a common prefix from paths to avoid creating a redundant folder. The problem is that the already implemented symlinks checks (adb067e6) are based on the original path and thus it is possible that some files will be written to the parent of the destination dir because of this. -
When extracting, the autoar_extractor_do_sanitize_pathname
is not called with original pathname string, butGFile
created fromarchive_entry_pathname
is passed in. The problem is that such a path can contain..
segments and GIO do not care about symlinks (file-roller#108 (comment 1037485)), so the final path might be wrong. This is actually not a security issue itself, but we should be aware of this if we decide to prevent extraction of files with symlink parents, or..
segments as mentioned on file-roller#108 (comment 1037485). -
When extracting, it is allowed to create hardlinks for targets, which are outside of the destination because of the already mentioned issues, which is a problem itself. The worse is that if the archive contains a file with the same path, then I suppose the hardlink target (outside of the destination dir) can be probably modified as G_FILE_CREATE_REPLACE_DESTINATION
is not used currently!
Edited by Ondrej Holy