From unknown Fri Aug 08 22:49:22 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#72283 <72283@debbugs.gnu.org> To: bug#72283 <72283@debbugs.gnu.org> Subject: Status: Path traversal in gzip's -S option Reply-To: bug#72283 <72283@debbugs.gnu.org> Date: Sat, 09 Aug 2025 05:49:22 +0000 retitle 72283 Path traversal in gzip's -S option reassign 72283 gzip submitter 72283 Alex Stumpf severity 72283 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 24 20:39:52 2024 Received: (at submit) by debbugs.gnu.org; 25 Jul 2024 00:39:52 +0000 Received: from localhost ([127.0.0.1]:34699 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sWmWM-0002p4-W0 for submit@debbugs.gnu.org; Wed, 24 Jul 2024 20:39:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:46970) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sWk1a-0007D9-HO for submit@debbugs.gnu.org; Wed, 24 Jul 2024 17:59:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sWk1T-0001e0-PK for bug-gzip@gnu.org; Wed, 24 Jul 2024 17:59:47 -0400 Received: from server5.thestumpfs.de ([161.97.82.223]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sWk1R-0003V2-GW for bug-gzip@gnu.org; Wed, 24 Jul 2024 17:59:47 -0400 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alexstumpf.de; s=2023-01-dkim; t=1721858373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/3TJOqZ1HOUDLs1o43AZrPkMAUj5iztFDWBG0dxJvi0=; b=t+RN6x5NCC97fRILBg0BZm/yvBy1ka1F7kbrPbtvltTuSRDhu5+1OkK3DjvEpoufKIw/pH d6+c8BeR/DyVgG0+/RENvrrpcfKEfLnDoGv9v160rExalGRwsSBF47nf4KZ9k0aO0y6Ma8 OQ9fSOYTyt8JqGEkNjPNYvK00Y+o2A0L2xMaWLw2THKR1PMxAoROEqdIz8cTY6w0M5uVNn YO0sqx2iAPc1BTI1xESfZXbLjhMpWFWdSSH9/atPKZPaie+o257nvPniJWMys9mGrw1p0a d78YdtwU8nQPN4tVHkIhgCOHBCDMWWwuehCKIe0BDRzdGaB7/QNahDmzXjVPMw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alexstumpf.de; s=2023-01-dkim; t=1721858373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/3TJOqZ1HOUDLs1o43AZrPkMAUj5iztFDWBG0dxJvi0=; b=t+RN6x5NCC97fRILBg0BZm/yvBy1ka1F7kbrPbtvltTuSRDhu5+1OkK3DjvEpoufKIw/pH d6+c8BeR/DyVgG0+/RENvrrpcfKEfLnDoGv9v160rExalGRwsSBF47nf4KZ9k0aO0y6Ma8 OQ9fSOYTyt8JqGEkNjPNYvK00Y+o2A0L2xMaWLw2THKR1PMxAoROEqdIz8cTY6w0M5uVNn YO0sqx2iAPc1BTI1xESfZXbLjhMpWFWdSSH9/atPKZPaie+o257nvPniJWMys9mGrw1p0a d78YdtwU8nQPN4tVHkIhgCOHBCDMWWwuehCKIe0BDRzdGaB7/QNahDmzXjVPMw== Date: Wed, 24 Jul 2024 23:59:33 +0200 From: Alex Stumpf To: bug-gzip@gnu.org Subject: Path traversal in gzip's -S option Message-ID: X-Sender: gnu@AlexStumpf.de Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=161.97.82.223; envelope-from=gnu@AlexStumpf.de; helo=server5.thestumpfs.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 24 Jul 2024 20:39:50 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, I just stumbled upon a "feature" that was probably not intended with the -S parameter: $ cat /tmp/importantfile important content $ gzip -f -k -S .d/../../tmp/importantfile /etc/ld.so.conf $ cat /tmp/importantfile $ I.e., it is possible to create/overwrite files at arbitrary locations (provided the user has write permission) just by using gzip parameters. This is not an issue for systems with regular shell access, but e.g. someone who sets up a restricted shell or allows execution of gzip via a web interface might not expect that behavior. The command works because there is both an /etc/ld.so.conf file as well as an /etc/ld.so.conf.d/ directory. So the resulting filename /etc/ld.so.conf.d/../../tmp/importantfile is a valid path. It's up to you whether you consider this a fix-worthy bug, but I think it wouldn't hurt to test whether compressed and uncompressed files are in the same directory. Cheers Alex From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 24 22:16:57 2024 Received: (at 72283-done) by debbugs.gnu.org; 25 Jul 2024 02:16:57 +0000 Received: from localhost ([127.0.0.1]:34961 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sWo2K-0005R7-UN for submit@debbugs.gnu.org; Wed, 24 Jul 2024 22:16:57 -0400 Received: from mail.cs.ucla.edu ([131.179.128.66]:60890) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sWo2I-0005Qt-M5 for 72283-done@debbugs.gnu.org; Wed, 24 Jul 2024 22:16:56 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id A2BBC3C01409E; Wed, 24 Jul 2024 19:16:41 -0700 (PDT) Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP id 7IDOi6WhXr0W; Wed, 24 Jul 2024 19:16:41 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id 0109C3C01409F; Wed, 24 Jul 2024 19:16:41 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 0109C3C01409F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1721873801; bh=BFUUuMelQ0LK2aFAa2w0gRv20DZjLgSqexlMr2tkvvQ=; h=Message-ID:Date:MIME-Version:To:From; b=nTgLenOnPKsddWA2SPRNk6uW2sgn7kNkzqOn2OxBlIp+uE5IdFRxY938LuMCienZ3 QGdwtXyqs9EMEuU0DMNbgOd3hF5Ql+9zMFpPaVOVBL1nH4jLeU1OhVQDKpRcgkyIxu Svby1o58RklzCo20Fnro3wa2uCb2ldgJPLcKKDVyKx2w549QQ77znWaBo27LdMlZan Q721RfoX3jcrkMD7IEZO7knqn/g0bdh8ENEWXUc0uT2YkC984YNLDF6Lh73xrBBno+ nwgyJR5BVmViFQQF1J5vCR73LaDOpfG1FPNF0bD0TEWH0oWHainMlxrVMvW+zMrlb+ OKPz8OUBAywhw== X-Virus-Scanned: amavis at mail.cs.ucla.edu Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP id EcmupToDlBrD; Wed, 24 Jul 2024 19:16:40 -0700 (PDT) Received: from [192.168.254.12] (unknown [47.154.17.165]) by mail.cs.ucla.edu (Postfix) with ESMTPSA id D7BAE3C01409E; Wed, 24 Jul 2024 19:16:40 -0700 (PDT) Content-Type: multipart/mixed; boundary="------------0rP0O0fEXDWTpYXPr0rGlO40" Message-ID: <3bf3f87a-3280-48e5-87bd-a1bff8b8036f@cs.ucla.edu> Date: Wed, 24 Jul 2024 19:16:40 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#72283: Path traversal in gzip's -S option To: Alex Stumpf References: Content-Language: en-US From: Paul Eggert Organization: UCLA Computer Science Department In-Reply-To: X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72283-done Cc: 72283-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --------------0rP0O0fEXDWTpYXPr0rGlO40 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2024-07-24 14:59, Alex Stumpf wrote: > It's up to you whether you consider this a fix-worthy bug, Thanks for reporting that. It's bad behavior, and worth a fix. I installed the attached and am closing the bug report. --------------0rP0O0fEXDWTpYXPr0rGlO40 Content-Type: text/x-patch; charset=UTF-8; name="0001-gzip-reject-suffixes-containing.patch" Content-Disposition: attachment; filename="0001-gzip-reject-suffixes-containing.patch" Content-Transfer-Encoding: base64 RnJvbSA3NWY5ZjI5ZWM2NGVlYzYxMDI1YmQwNWY2NWJlZWVjZTYyZDNjZjg0IE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBXZWQsIDI0IEp1bCAyMDI0IDE5OjEzOjUxIC0wNzAwClN1YmplY3Q6IFtQQVRD SF0gZ3ppcDogcmVqZWN0IHN1ZmZpeGVzIGNvbnRhaW5pbmcgJy8nCgpQcm9ibGVtIHJlcG9y dGVkIGJ5IEFsZXggU3R1bXBmIDxodHRwczovL2J1Z3MuZ251Lm9yZy83MjI4Mz4uCiogZ3pp cC5jIChtYWluKTogRGlhZ25vc2Ugc3VmZml4ZXMgY29udGFpbmluZyAnLycsIGFuZCBleGl0 LgotLS0KIE5FV1MgICAgICAgICAgfCAyICsrCiBkb2MvZ3ppcC50ZXhpIHwgOCArKysrKy0t LQogZ3ppcC4xICAgICAgICB8IDQgKystLQogZ3ppcC5jICAgICAgICB8IDcgKysrKysrLQog NCBmaWxlcyBjaGFuZ2VkLCAxNSBpbnNlcnRpb25zKCspLCA2IGRlbGV0aW9ucygtKQoKZGlm ZiAtLWdpdCBhL05FV1MgYi9ORVdTCmluZGV4IDBhOTVlN2YuLjMzYzViMGUgMTAwNjQ0Ci0t LSBhL05FV1MKKysrIGIvTkVXUwpAQCAtNyw2ICs3LDggQEAgR05VIGd6aXAgTkVXUyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0qLSBvdXRsaW5lIC0qLQogICAnZ3pp cCAtbCcgbm8gbG9uZ2VyIG1pc3JlcG9ydHMgbGVuZ3RocyBvZiBtdWx0aW1lbWJlciBpbnB1 dHMuCiAgIFtidWcgaW50cm9kdWNlZCBpbiBnemlwLTEuMTJdCiAKKyAgJ2d6aXAgLVMnIG5v dyByZWplY3RzIHN1ZmZpeGVzIGNvbnRhaW5pbmcgJy8nLgorICBbYnVnIHByZXNlbnQgc2lu Y2UgdGhlIGJlZ2lubmluZ10KIAogKiBOb3Rld29ydGh5IGNoYW5nZXMgaW4gcmVsZWFzZSAx LjEzICgyMDIzLTA4LTE5KSBbc3RhYmxlXQogCmRpZmYgLS1naXQgYS9kb2MvZ3ppcC50ZXhp IGIvZG9jL2d6aXAudGV4aQppbmRleCAxODBmYWY1Li5hOWI2N2Q2IDEwMDY0NAotLS0gYS9k b2MvZ3ppcC50ZXhpCisrKyBiL2RvYy9nemlwLnRleGkKQEAgLTM2NCwxMCArMzY0LDEyIEBA IHRoZSBjb21wcmVzc2VkIG91dHB1dCBpcyB1c3VhbGx5IGFib3V0IG9uZSBwZXJjZW50IGxh cmdlci4KIAogQGl0ZW0gLS1zdWZmaXggQHZhcntzdWZ9CiBAaXRlbXggLVMgQHZhcntzdWZ9 Ci1Vc2Ugc3VmZml4IEB2YXJ7c3VmfSBpbnN0ZWFkIG9mIEBzYW1wey5nen0uICBBbnkgc3Vm Zml4IGNhbiBiZQotZ2l2ZW4sIGJ1dCBzdWZmaXhlcyBvdGhlciB0aGFuIEBzYW1wey56fSBh bmQgQHNhbXB7Lmd6fSBzaG91bGQgYmUKKworVXNlIHN1ZmZpeCBAdmFye3N1Zn0gaW5zdGVh ZCBvZiBAc2FtcHsuZ3p9LgorQWx0aG91Z2ggYW55IHN1ZmZpeCBjYW4gYmUgZ2l2ZW4gc28g bG9uZyBhcyBpdCBkb2VzIG5vdCBjb250YWluIEBzYW1wey99LAorc3VmZml4ZXMgb3RoZXIg dGhhbiBAc2FtcHsuen0gYW5kIEBzYW1wey5nen0gc2hvdWxkIGJlCiBhdm9pZGVkIHRvIGF2 b2lkIGNvbmZ1c2lvbiB3aGVuIGZpbGVzIGFyZSB0cmFuc2ZlcnJlZCB0byBvdGhlciBzeXN0 ZW1zLgotQSBudWxsIHN1ZmZpeCBmb3JjZXMgZ3VuemlwIHRvIHRyeSBkZWNvbXByZXNzaW9u IG9uIGFsbCBnaXZlbiBmaWxlcworQW4gZW1wdHkgc3VmZml4IGZvcmNlcyBndW56aXAgdG8g dHJ5IGRlY29tcHJlc3Npb24gb24gYWxsIGdpdmVuIGZpbGVzCiByZWdhcmRsZXNzIG9mIHN1 ZmZpeCwgYXMgaW46CiAKIEBleGFtcGxlCmRpZmYgLS1naXQgYS9nemlwLjEgYi9nemlwLjEK aW5kZXggYjk3NzJlNC4uZDg3ZGIxZCAxMDA2NDQKLS0tIGEvZ3ppcC4xCisrKyBiL2d6aXAu MQpAQCAtMzE2LDggKzMxNiw4IEBAIHdpbGwgZGVzY2VuZCBpbnRvIHRoZSBkaXJlY3Rvcnkg YW5kIGNvbXByZXNzIGFsbCB0aGUgZmlsZXMgaXQgZmluZHMgdGhlcmUKIC5UUAogLkIgXC1T IC5zdWYgICBcLVwtc3VmZml4IC5zdWYKIFdoZW4gY29tcHJlc3NpbmcsIHVzZSBzdWZmaXgg LnN1ZiBpbnN0ZWFkIG9mIC5nei4KLUFueSBub24tZW1wdHkgc3VmZml4IGNhbiBiZSBnaXZl biwgYnV0IHN1ZmZpeGVzCi1vdGhlciB0aGFuIC56IGFuZCAuZ3ogc2hvdWxkIGJlIGF2b2lk ZWQgdG8gYXZvaWQgY29uZnVzaW9uIHdoZW4gZmlsZXMKK0FsdGhvdWdoIGFueSBub24tZW1w dHkgc3VmZml4IGNhbiBiZSBnaXZlbiBzbyBsb25nIGFzIGl0IGRvZXMgbm90IGNvbnRhaW4g Ii8iLAorc3VmZml4ZXMgb3RoZXIgdGhhbiAueiBhbmQgLmd6IHNob3VsZCBiZSBhdm9pZGVk IHRvIGF2b2lkIGNvbmZ1c2lvbiB3aGVuIGZpbGVzCiBhcmUgdHJhbnNmZXJyZWQgdG8gb3Ro ZXIgc3lzdGVtcy4KIAogV2hlbiBkZWNvbXByZXNzaW5nLCBhZGQgLnN1ZiB0byB0aGUgYmVn aW5uaW5nIG9mIHRoZSBsaXN0IG9mCmRpZmYgLS1naXQgYS9nemlwLmMgYi9nemlwLmMKaW5k ZXggN2ZmNDgyNi4uODY2MDI4YSAxMDA2NDQKLS0tIGEvZ3ppcC5jCisrKyBiL2d6aXAuYwpA QCAtNTY0LDcgKzU2NCwxMiBAQCBpbnQgbWFpbiAoaW50IGFyZ2MsIGNoYXIgKiphcmd2KQog I2lmZGVmIE5PX01VTFRJUExFX0RPVFMKICAgICAgICAgICAgIGlmICgqb3B0YXJnID09ICcu Jykgb3B0YXJnKys7CiAjZW5kaWYKLSAgICAgICAgICAgIHpfbGVuID0gc3RybGVuKG9wdGFy Zyk7CisgICAgICAgICAgICBmb3IgKHpfbGVuID0gMDsgb3B0YXJnW3pfbGVuXTsgel9sZW4r KykKKyAgICAgICAgICAgICAgaWYgKG9wdGFyZ1t6X2xlbl0gPT0gJy8nKQorICAgICAgICAg ICAgICAgIHsKKyAgICAgICAgICAgICAgICAgIGZwcmludGYgKHN0ZGVyciwgIiVzOiBzdWZm aXggY29udGFpbnMgJy8nXG4iLCBwcm9ncmFtX25hbWUpOworICAgICAgICAgICAgICAgICAg ZG9fZXhpdCAoRVJST1IpOworICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgIHpfc3Vm Zml4ID0gb3B0YXJnOwogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgU1lOQ0hS T05PVVNfT1BUSU9OOgotLSAKMi40My4wCgo= --------------0rP0O0fEXDWTpYXPr0rGlO40-- From unknown Fri Aug 08 22:49:22 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 22 Aug 2024 11:24:12 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator