Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658548 (CVE-2018-1002209) - <dev-libs/quazip-0.7.6: zip slip - arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
Summary: <dev-libs/quazip-0.7.6: zip slip - arbitrary file write vulnerability / arbit...
Status: RESOLVED FIXED
Alias: CVE-2018-1002209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/stachenov/quazip/c...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-20 02:20 UTC by Florian Schuhmacher
Modified: 2019-03-24 20:25 UTC (History)
0 users

See Also:
Package list:
dev-libs/quazip-0.7.6
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-20 02:20:48 UTC 
A vulnerability has been found in the way developers have implemented the archive extraction of files. An arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar,xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. Of course if an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. This affects multiple libraries that lacks of a high level APIs that provide the archive extraction functionality.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Larry the Git Cow gentoo-dev 2018-06-20 13:03:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d40e5767c67082e1f69117553766ad1a3614354

commit 8d40e5767c67082e1f69117553766ad1a3614354
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-06-20 12:22:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-06-20 13:03:25 +0000

    dev-libs/quazip: 0.7.6 version bump, moved to GitHub
    
    Bug: https://bugs.gentoo.org/658548
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-libs/quazip/Manifest            |  1 +
 dev-libs/quazip/quazip-0.7.6.ebuild | 48 +++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2018-07-15 23:55:16 UTC 
Arches, please stabilise...
Comment 4 Agostino Sarubbo gentoo-dev 2018-07-17 13:55:30 UTC 
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-20 22:42:44 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-07-29 16:27:57 UTC 
ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-11 19:09:21 UTC 
ppc stable

Last arch. Closing.
Comment 8 Larry the Git Cow gentoo-dev 2018-08-11 19:32:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1658bd3a1fc7f931f5a9451cb824a5bd2390278

commit c1658bd3a1fc7f931f5a9451cb824a5bd2390278
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-11 19:31:15 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-11 19:31:52 +0000

    dev-libs/quazip: Cleanup vulnerable 0.7.3
    
    Bug: https://bugs.gentoo.org/658548
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 dev-libs/quazip/Manifest               |  1 -
 dev-libs/quazip/quazip-0.7.3-r1.ebuild | 51 ----------------------------------
 2 files changed, 52 deletions(-)
Comment 9 Andreas Sturmlechner gentoo-dev 2018-09-15 13:15:19 UTC 
ping sec - sci is done here, in case you didn't notice.