Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 820614 - <app-misc/binwalk-2.3.3: directory traversal in archive extraction
Summary: <app-misc/binwalk-2.3.3: directory traversal in archive extraction
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+]
Depends on: 820608
  Show dependency tree
Reported: 2021-10-28 18:13 UTC by John Helmert III
Modified: 2023-09-17 06:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-28 18:13:52 UTC
"Prior to Binwalk v2.3.3, extracted archives could create symlinks which point anywhere on the file system, potentially resulting in a directory traversal attack if subsequent extraction utilties blindly follow these symlinks. More generically, Binwalk makes use of many third-party extraction utilties which may have unpatched security issues; Binwalk v2.3.3 and later allows external extraction tools to be run as an unprivileged user using the `run-as` command line option (this requires Binwalk itself to be run with root privileges). Additionally, Binwalk v2.3.3 and later will refuse to perform extraction as root unless `--run-as=root` is specified."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-30 22:04:31 UTC
Please cleanup
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-20 19:43:21 UTC
Why would this depend on binwalk-2.3.4?

Anyway, cleanup was done in 8875a03087f1a8c5bc3d8615ea510dceae16d799.
Comment 3 Larry the Git Cow gentoo-dev 2023-09-17 06:33:26 UTC
The bug has been referenced in the following commit(s):

commit a522416d0d59ed1f4e1d69e41885666abf6d880a
Author:     GLSAMaker <>
AuthorDate: 2023-09-17 06:32:11 +0000
Commit:     Sam James <>
CommitDate: 2023-09-17 06:33:22 +0000

    [ GLSA 202309-07 ] Binwalk: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Sam James <>

 glsa-202309-07.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)