GNU bug report logs - #25611
26.0.50; dired-do-compress unpacks .tgz files

Previous Next

Package: emacs;

Reported by: Mike Kupfer <mkupfer <at> alum.berkeley.edu>

Date: Fri, 3 Feb 2017 03:51:02 UTC

Severity: normal

Found in version 26.0.50

Full log

Message #17 received at 25611 <at> debbugs.gnu.org (full text, mbox):

From: Mike Kupfer <mkupfer <at> alum.berkeley.edu>
To: Oleh Krehel <ohwoeowho <at> gmail.com>
Cc: Glenn Morris <rgm <at> gnu.org>, 25611 <at> debbugs.gnu.org
Subject: Re: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files
Date: Mon, 06 Mar 2017 09:28:53 -0800

Hi Oleh,

Oleh Krehel wrote:

> > It occurs to me that this could be considered a security vulnerability.
> > If the .tgz file is (unintentionally) unpacked in $HOME and contains a
> > .ssh/authorized_keys, that could give an attacker access to the victim's
> > account.
> 
> The file is uncompressed into a directory with the same name. So the
> file would have to be ~/.ssh.tar.gz. If a user presses "Z" on that
> file, it's pretty clear what will happen, same as with "C" on e.g. an
> `authorized_keys' file somewhere.

That might be the intended usage, but my testing[1] shows that there's
no enforcement.  I created by hand a Desktop.tgz by doing

    tar cf Desktop.tar Desktop .ssh/known_hosts

and then compressing Desktop.tar.  (I don't use an authorized_keys file
on the system that I ran the test on.)  I moved Desktop.tgz to a temp
directory and then pressed "Z" on it.  It unpacked Desktop okay, but it
also created .ssh/known_hosts.

I also tried editing one of the files in <temp_dir>/Desktop and redoing
"Z" on Desktop.tgz.  That silently overwrote my change.

So I think two changes are needed: one to eliminate the security risk,
the second to protect against accidental data loss.

The security risk would be closed by ensuring that foo.<suffix> only
unpacks into "foo".  This could be done by checking the table of
contents of the tar file and erroring out if anything is amiss.  Another
approach would be to invoke tar as "tar xf ... foo".  The first approach
gives better feedback to the user if there is something amiss with the
tar file, but it'll take more code.  (GNU tar, at least, protects
against things like foo/../.ssh/mumble; I don't know about other
variants of tar.)

To protect against accidental data loss, I recommend erroring out if
"foo" already exists, or asking the user for confirmation before
proceeding.

regards,
mike

[1] Emacs master, changeset 18c47695 from 21 February, running on Debian
stable.
This bug report was last modified 6 years and 271 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.