Multiple vendor file archivers file extraction directory traversal

archive-extraction-directory-traversal (10224) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor file archivers (GNU tar, Info-Zip UnZip, PKWare PKZIP, and RARsoft RAR) are vulnerable to a directory traversal that could allow an attacker to overwrite and create files on the system. If an archived file contains "dot dot" sequences or other path specifying characters in the file name, a local attacker could traverse directories on the system when the archive is extracted and overwrite and corrupt files or create Trojans on the system.


Consequences:

File Manipulation

Remedy:

For GNU tar 1.13.19 and earlier:
Upgrade to the latest version of tar (1.13.25 or later), available from the GNU FTP site. See References.

For UnZip 5.42 and earlier:
Upgrade to the latest version of UnZip (5.50 or later), available from the Info-ZIP Web site. See References.

For Red Hat Linux (tar):
Refer to RHSA-2006:0195-8 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux containing the tar packages:
Upgrade to the latest sys-apps/tar package, as listed in Gentoo Linux Security Announcement 2002-10-01 12:30 UTC. See References.

For Gentoo Linux containing the unzip packages:
Upgrade to the latest app-arch/uzip package, as listed in Gentoo Linux Security Announcement 2002-10-01 10:30 UTC. See References.

For EnGarde Secure Linux Community Edition:
Upgrade to the latest tar package (1.13.25-1.0.5 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021003-022. See References.

For Mandrake Linux:
Upgrade to the latest unzip packages, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:065 : unzip for more information. See References.

Linux-Mandrake 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1 and Single Network Firewall 7.2: 5.50-2.1mdk or later

For Mandrake Linux:
Upgrade to the latest tar packages, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:066 : tar for more information. See References.

Linux-Mandrake 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, Corporate Server 1.0.1 and Single Network Firewall 7.2: 1.13.25-6.2mdk or later

For Conectiva Linux:
Upgrade to the latest tar and unzip packages, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:538 for more information. See References.

tar:
Conectiva Linux 6.0: 1.13.25-1U60_1cl or later
Conectiva Linux 7.0: 1.13.25-1U70_1cl or later
Conective Linux 8.0: 1.13.25-2U80_1cl or later

unzip:
Conectiva Linux 6.0: 5.50-1U60_1cl or later
Conectiva Linux 7.0: 5.50-1U70_1cl or later
Conectiva Linux 8.0: 5.50-1U80_1cl or later

For SUSE Linux (star):
Refer to SUSE-SR:2007:019 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • BugTraq Mailing List, Thu Sep 26 2002 - 19:11:07 CDT: Allot Netenforcer problems, GNU TAR flaw.
  • CIAC Information Bulletin N-041: Sun Linux Vulnerabilities in "unzip" and GNU "tar" Commands.
  • Conectiva Linux Announcement CLSA-2002:538: tar/unzip.
  • EnGarde Secure Linux Security Advisory ESA-20021003-022: tar: directory traversal vulnerability..
  • Full-Disclosure Mailing List, Tue Oct 01 2002 - 05:38:05 CDT: GLSA: unzip.
  • Gentoo Linux Security Announcement 2002-10-01 12:30 UTC: tar: directory-traversal vulnerability.
  • GNU FTP site: gnu/tar/.
  • Info-ZIP Web site: InfoZIP's UnZip.
  • PKWARE Inc. Web site: PKWARE - Home of Genuine PKZIP Products.
  • SECURITY.NNOV Advisory July, 2, 2001: Directory traversal and path globbing in multiple archivers.
  • Sun Alert ID: 47800: Sun Linux Vulnerabilities in "unzip" and GNU "tar" During File Extraction.
  • ASA-2006-110: tar security update (RHSA-2006-0195)
  • BID-3024: GNU Tar Hostile Destination Path Vulnerability
  • BID-5834: GNU Tar Hostile Destination Path Variant Vulnerability
  • BID-5835: Info-ZIP UnZip Hostile Destination Path Vulnerability
  • BID-5933: PKWare PKZip Hostile Destination Path Vulnerability
  • CVE-2001-1267: Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot).
  • CVE-2001-1268: Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.
  • CVE-2001-1269: Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.
  • CVE-2001-1270: Directory traversal vulnerability in the console version of PKZip (pkzipc) 4.00 and earlier allows attackers to overwrite arbitrary files during archive extraction with the -rec (recursive) option via a .. (dot dot) attack on the archived files.
  • CVE-2001-1271: Directory traversal vulnerability in rar 2.02 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) attack on archived filenames.
  • CVE-2002-0399: Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) /.. or (2) ./.. string, which removes the leading slash but leaves the .., a variant of CVE-2001-1267.
  • CVE-2002-1216: GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as the result of a modification that effectively disabled the security check.
  • CVE-2005-1918: The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an incorrect optimization that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving /../ sequences with a leading /.
  • MDKSA-2002:065: Updated unzip packages fix directory traversal vulnerability
  • MDKSA-2002:066: Updated tar packages fix directory traversal vulnerability
  • MDKSA-2003:024: Updated packages fix multiple vulnerabilities
  • MDKSA-2006:219: Updated tar packages fix vulnerability
  • OpenPKG-SA-2006.038: GNU tar
  • RHSA-2002-096: Updated unzip and tar packages fix vulnerabilities
  • RHSA-2002-138: unzip security update
  • RHSA-2003-218: Updated unzip and tar packages that fix vulnerabilities are now available
  • RHSA-2006-0195: tar security update
  • SA20397: Avaya Products "tar" Directory Traversal Vulnerability
  • SECTRACK ID: 1015655: Tar on Red Hat Enterprise Linux Lets Remote Users Write Files
  • SUSE-SR:2006:005: SUSE Security Summary Report
  • SUSE-SR:2007:019: SUSE Security Summary Report

Platforms Affected:

  • Conectiva Linux 6.0
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • EngardeLinux Secure Linux
  • Gentoo Linux
  • Info-ZIP UnZip 5.42 and prior
  • MandrakeSoft Mandrake Linux 2006
  • MandrakeSoft Mandrake Linux 2006 X86_64
  • MandrakeSoft Mandrake Linux 2007 X86_64
  • MandrakeSoft Mandrake Linux 2007
  • MandrakeSoft Mandrake Linux 7.1
  • MandrakeSoft Mandrake Linux 7.2
  • MandrakeSoft Mandrake Linux 8.0 PPC
  • MandrakeSoft Mandrake Linux 8.0
  • MandrakeSoft Mandrake Linux 8.1
  • MandrakeSoft Mandrake Linux 8.1 IA64
  • MandrakeSoft Mandrake Linux 8.2 PPC
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux 9.0
  • MandrakeSoft Mandrake Linux Corporate Server 1.0.1
  • MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 3.0
  • MandrakeSoft Mandrake Linux Corporate Server 4.0
  • MandrakeSoft Mandrake Linux Corporate Server 4.0 X86_64
  • MandrakeSoft Mandrake Multi Network Firewall 2.0
  • MandrakeSoft Mandrake Single Network Firewall 7.2
  • OpenPKG OpenPKG 2-STABLE
  • OpenPKG OpenPKG CURRENT
  • OpenPKG OpenPKG Enterprise E1.0-SOLID
  • PKWARE PKZIP 4.00
  • RARSoft RAR 2.02 and prior
  • RedHat Enterprise Linux 2.1 WS
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Enterprise Linux 2.1 ES
  • RedHat Enterprise Linux 3 Desktop
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 3 WS
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.1 for iSeries
  • RedHat Linux 7.1 for pSeries
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • SUSE SuSE Linux

Reported:

Jul 02, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page