yaffshiv icon indicating copy to clipboard operation
yaffshiv copied to clipboard
verified publisher icon devttys0

Fix path traversal

Open qkaiser opened this issue 3 years ago • 1 comments

The code was implementing a path traversal check based on the detection of .. in directory names and file names. This is sufficient to protect against path traversal attacks using relative paths but insufficient for attacks using absolute paths.

This is due to the fact that the second argument of os.path.join() takes precedence if it starts with /:

>>> print(os.path.join('outdir', '/tmp/hacked'))
/tmp/hacked

Added the same check we used for ubireader (see https://github.com/jrspruitt/ubi_reader/commit/c6a1272b178a4a2a04cfc88c87f6e195b16eddb5).

qkaiser avatar Nov 02 '22 10:11 qkaiser

We have an upcoming publication about similar vulnerabilities affecting different extractors in ubi-reader, jefferson, yaffshiv, and binwalk. We requested CVEs for each of these vulnerability so that users are aware they should upgrade to the latest version (through dependabot for example).

The one that should be fixed by this PR has been assigned CVE-2023-0593.

qkaiser avatar Jan 31 '23 09:01 qkaiser