Bug 28359 - fastjar directory traversal problem
Summary: fastjar directory traversal problem
Alias: None
Product: gcc
Classification: Unclassified
Component: fastjar (show other bugs)
Version: 4.1.0
: P3 normal
Target Milestone: 4.0.4
Assignee: Richard Biener
Depends on:
Reported: 2006-07-12 14:49 UTC by marcus
Modified: 2010-06-09 11:20 UTC (History)
3 users (show)

See Also:
Known to work: 4.0.4 4.1.2
Known to fail:
Last reconfirmed: 2006-07-13 07:40:04

cups.jar (34.30 KB, application/octet-stream)
2006-07-12 14:50 UTC, marcus
fix.patch (258 bytes, patch)
2006-07-12 14:54 UTC, marcus
Details | Diff
different fix (429 bytes, patch)
2006-07-12 15:14 UTC, Richard Biener
Details | Diff
fixed patch (538 bytes, patch)
2006-07-17 14:03 UTC, Richard Biener
Details | Diff
CVE-2010-0831.patch (1.02 KB, patch)
2010-06-09 09:39 UTC, Jakub Jelinek
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description marcus 2006-07-12 14:49:58 UTC
fastjar contains the following security problem:

When a JAR archive is extracted with filenames with "../" inside, it can
extract files outside of the current directory (a so called directory traversal).

Unconspicious users unpacking such files could overwrite their own files,
or even system files when being root.

I am attaching a sample "cups.jar" from an earlier CUPS tarball, which exposes
this problem.
Comment 1 marcus 2006-07-12 14:50:29 UTC
Created attachment 11868 [details]

sample file with ../ paths inside.
Comment 2 marcus 2006-07-12 14:54:57 UTC
Created attachment 11869 [details]

i would propose this patch to fix this problem.
Comment 3 Richard Biener 2006-07-12 15:08:16 UTC
Comment 4 Richard Biener 2006-07-12 15:14:12 UTC
Created attachment 11870 [details]
different fix
Comment 5 Richard Biener 2006-07-12 15:19:28 UTC
I have applied the 2nd fix to the upstream (savannah) fastjar CVS.
Comment 6 Andrew Pinski 2006-07-12 16:57:23 UTC
Fastjar no longer is included with GCC so closing as will not fix.
Comment 7 Richard Biener 2006-07-12 17:47:53 UTC
Well... maybe the RM has an opinion on this.
Comment 8 marcus 2006-07-12 18:30:24 UTC
yes, this could still be fixed for release branches ;)
Comment 9 Mark Mitchell 2006-07-13 05:04:46 UTC
There's certainly no reason not to fix this on release branches.
Comment 10 Richard Biener 2006-07-13 07:39:43 UTC
Reopening then...
Comment 11 Richard Biener 2006-07-13 07:40:04 UTC
...to assign myself.
Comment 12 Jakub Jelinek 2006-07-17 12:21:02 UTC
The patch in #4 is insufficient.  Consider paths like ././../.././../etc/passwd
which satisfies the depth tests, yet clearly escapes the current dir tree.
Another question is about symlinks, if there is a foo -> ../../../../etc
symlink in the current tree, then I believe fastjar will happily store
foo/passwd into ../../../../etc/passwd, is that something that can be declared
as user's fault or should fastjar always canonicalize the filename and don't
allow leaving the current directory tree in any way?
Comment 13 marcus 2006-07-17 12:25:03 UTC
Comment 14 Richard Biener 2006-07-17 13:57:04 UTC
Indeed.  Now for symlinks it is only a problem if you can package them like

 foo -> ../../

i.e., if uncompressing a zip archive can _create_ symlinks.  On unix it can,
but it seems to "defer" their creation.

Archive:  ../t.zip
   creating: b/
    linking: b/foo                   -> ../ 
checkdir error:  b/foo exists but is not directory
                 unable to process b/foo/bar.
finishing deferred symbolic links:
  b/foo                  -> ../
Comment 15 Richard Biener 2006-07-17 14:03:55 UTC
Created attachment 11904 [details]
fixed patch

Version of the patch that doesn't count "." parts in the filename as depth.
Comment 16 Matthias Klose 2006-08-05 09:27:19 UTC
Subject: Bug 28359

Author: doko
Date: Sat Aug  5 09:27:11 2006
New Revision: 115945

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=115945
        PR fastjar/28359 / CVE-2006-3619

        2006-07-17  Richard Guenther  <rguenther@suse.de>
        * jartool.c (extract_jar): Do not allow directory traversal
        to parents of the extraction root.


Comment 17 Matthias Klose 2006-08-05 09:43:10 UTC
Subject: Bug 28359

Author: doko
Date: Sat Aug  5 09:43:02 2006
New Revision: 115946

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=115946
        PR fastjar/28359 / CVE-2006-3619

        2006-07-17  Richard Guenther  <rguenther@suse.de>
        * jartool.c (extract_jar): Do not allow directory traversal
        to parents of the extraction root.


Comment 18 Richard Biener 2006-08-11 19:46:19 UTC
I think this is now fixed.
Comment 19 Jakub Jelinek 2010-06-09 09:39:09 UTC
Created attachment 20874 [details]

Just for the record, the patch that went in leaves fastjar still vulnerable.
The main issue is that tmp_buff isn't the current directory component, but
current directory component with all previous directory component, so the
.. and . tests will match only for the first component.

has some patch, but it is very ugly and inefficient.
Comment 20 marcus 2010-06-09 11:20:23 UTC
Jakubs patch looks good to me.