From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Mike Kupfer Newsgroups: gmane.emacs.bugs Subject: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files Date: Mon, 06 Mar 2017 09:28:53 -0800 Message-ID: <22647.1488821333@alto> References: <3061.1486093822@alto> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Trace: blaine.gmane.org 1488821373 6902 195.159.176.226 (6 Mar 2017 17:29:33 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 6 Mar 2017 17:29:33 +0000 (UTC) Cc: 25611@debbugs.gnu.org To: Oleh Krehel Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Mar 06 18:29:23 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckwRc-0008AJ-0h for geb-bug-gnu-emacs@m.gmane.org; Mon, 06 Mar 2017 18:29:12 +0100 Original-Received: from localhost ([::1]:45264 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckwRg-0002Vi-F2 for geb-bug-gnu-emacs@m.gmane.org; Mon, 06 Mar 2017 12:29:16 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45140) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckwRW-0002UL-Nt for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 12:29:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckwRS-0006TF-MS for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 12:29:06 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:44842) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ckwRS-0006T7-IS for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 12:29:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ckwRS-000111-96 for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 12:29:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Mike Kupfer Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 06 Mar 2017 17:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25611 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 25611-submit@debbugs.gnu.org id=B25611.14888213373890 (code B ref 25611); Mon, 06 Mar 2017 17:29:02 +0000 Original-Received: (at 25611) by debbugs.gnu.org; 6 Mar 2017 17:28:57 +0000 Original-Received: from localhost ([127.0.0.1]:43041 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckwRN-00010g-BV for submit@debbugs.gnu.org; Mon, 06 Mar 2017 12:28:57 -0500 Original-Received: from shell1.rawbw.com ([198.144.192.42]:27832 ident=root) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckwRL-00010Y-HK for 25611@debbugs.gnu.org; Mon, 06 Mar 2017 12:28:56 -0500 Original-Received: from alto (m208-249.dsl.rawbw.com [198.144.208.249]) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTP id v26HSr6f007347; Mon, 6 Mar 2017 09:28:53 -0800 (PST) (envelope-from mkupfer@alum.berkeley.edu) X-Authentication-Warning: shell1.rawbw.com: Host m208-249.dsl.rawbw.com [198.144.208.249] claimed to be alto In-Reply-To: Your message of "Mon, 06 Mar 2017 11:53:15 +0100." X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.2.1 Content-ID: <22646.1488821333.1@alto> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:130268 Archived-At: Hi Oleh, Oleh Krehel wrote: > > It occurs to me that this could be considered a security vulnerability. > > If the .tgz file is (unintentionally) unpacked in $HOME and contains a > > .ssh/authorized_keys, that could give an attacker access to the victim's > > account. > > The file is uncompressed into a directory with the same name. So the > file would have to be ~/.ssh.tar.gz. If a user presses "Z" on that > file, it's pretty clear what will happen, same as with "C" on e.g. an > `authorized_keys' file somewhere. That might be the intended usage, but my testing[1] shows that there's no enforcement. I created by hand a Desktop.tgz by doing tar cf Desktop.tar Desktop .ssh/known_hosts and then compressing Desktop.tar. (I don't use an authorized_keys file on the system that I ran the test on.) I moved Desktop.tgz to a temp directory and then pressed "Z" on it. It unpacked Desktop okay, but it also created .ssh/known_hosts. I also tried editing one of the files in /Desktop and redoing "Z" on Desktop.tgz. That silently overwrote my change. So I think two changes are needed: one to eliminate the security risk, the second to protect against accidental data loss. The security risk would be closed by ensuring that foo. only unpacks into "foo". This could be done by checking the table of contents of the tar file and erroring out if anything is amiss. Another approach would be to invoke tar as "tar xf ... foo". The first approach gives better feedback to the user if there is something amiss with the tar file, but it'll take more code. (GNU tar, at least, protects against things like foo/../.ssh/mumble; I don't know about other variants of tar.) To protect against accidental data loss, I recommend erroring out if "foo" already exists, or asking the user for confirmation before proceeding. regards, mike [1] Emacs master, changeset 18c47695 from 21 February, running on Debian stable.