This is an interesting one... https://research.nccgroup.com/2021/10/28/technical-advisory-apple-xar-arbitrary-file-write-cve-2021-30833/ "The XAR archive format supports archiving and extraction of symlinks for both files and directories. When extracting an archive which contains both a directory symlink and a file within a directory named the same as the directory symlink, xar will overwrite the directory symlink with a real directory. This protects against maliciously crafted archives where a symlink directory is unarchived and a file is unarchived into it." Apparently fixed in latest macOS.
I think the relevant quote for the actual vulnerability is this: ... xar allows for a forward-slash separated path to be specified in the file name property, e.g. <name>x/foo</name> – as long as it doesn’t traverse upwards, and the path exists within the current directory. This means an attacker can create a .xar file which contains both a directory symlink, and a file with a name property which points into the extracted symlink directory. By abusing symlink directories in this manner, an attacker can write arbitrary files to any directory on the filesystem – providing the user has permissions to write to it. ... Apple didn't release any sources (yet) for macOS 12, let alone 12.0.1 in which this is presumably fixed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f61a854bf04077812644f5a7d1b1ef508bb43d70 commit f61a854bf04077812644f5a7d1b1ef508bb43d70 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2022-07-16 19:34:13 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2022-07-16 19:35:23 +0000 app-arch/xar-1.8.0.0.487.100.1: version bump, security fix #820641 xar version from macOS 12.3 and up Bug: https://bugs.gentoo.org/820641 Signed-off-by: Fabian Groffen <grobian@gentoo.org> app-arch/xar/Manifest | 1 + .../xar/files/xar-1.8.0.0.487-non-darwin.patch | 12 +++ .../xar-1.8.0.0.487-variable-sized-object.patch | 18 +++++ app-arch/xar/xar-1.8.0.0.487.100.1.ebuild | 88 ++++++++++++++++++++++ 4 files changed, 119 insertions(+)
Please stable when ready
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdfabd0c138da863d6430b3058e98929535f47c1 commit fdfabd0c138da863d6430b3058e98929535f47c1 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2022-08-17 19:22:53 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2022-08-17 19:22:53 +0000 app-arch/xar: cleanup old/vulnerable Bug: https://bugs.gentoo.org/820641 Signed-off-by: Fabian Groffen <grobian@gentoo.org> app-arch/xar/Manifest | 3 -- app-arch/xar/xar-1.8-r2.ebuild | 55 ------------------------ app-arch/xar/xar-1.8-r4.ebuild | 81 ----------------------------------- app-arch/xar/xar-1.8.0.0.452.ebuild | 84 ------------------------------------- 4 files changed, 223 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=61702731d59a0ff1549d7cf5b9eed17d723e2e29 commit 61702731d59a0ff1549d7cf5b9eed17d723e2e29 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-07 04:42:07 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-07 04:42:28 +0000 [ GLSA 202405-19 ] xar: Unsafe Extraction Bug: https://bugs.gentoo.org/820641 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
