From: Mike Kupfer <mkupfer@alum.berkeley.edu>
To: Oleh Krehel <ohwoeowho@gmail.com>
Cc: 25611@debbugs.gnu.org
Subject: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files
Date: Mon, 06 Mar 2017 09:28:53 -0800 [thread overview]
Message-ID: <22647.1488821333@alto> (raw)
In-Reply-To: Your message of "Mon, 06 Mar 2017 11:53:15 +0100." <CAA01p3o=skAf=SNCtykM6XWrXvpEVoR9yQaHEkCTMsso9q5hbA@mail.gmail.com>
Hi Oleh,
Oleh Krehel wrote:
> > It occurs to me that this could be considered a security vulnerability.
> > If the .tgz file is (unintentionally) unpacked in $HOME and contains a
> > .ssh/authorized_keys, that could give an attacker access to the victim's
> > account.
>
> The file is uncompressed into a directory with the same name. So the
> file would have to be ~/.ssh.tar.gz. If a user presses "Z" on that
> file, it's pretty clear what will happen, same as with "C" on e.g. an
> `authorized_keys' file somewhere.
That might be the intended usage, but my testing[1] shows that there's
no enforcement. I created by hand a Desktop.tgz by doing
tar cf Desktop.tar Desktop .ssh/known_hosts
and then compressing Desktop.tar. (I don't use an authorized_keys file
on the system that I ran the test on.) I moved Desktop.tgz to a temp
directory and then pressed "Z" on it. It unpacked Desktop okay, but it
also created .ssh/known_hosts.
I also tried editing one of the files in <temp_dir>/Desktop and redoing
"Z" on Desktop.tgz. That silently overwrote my change.
So I think two changes are needed: one to eliminate the security risk,
the second to protect against accidental data loss.
The security risk would be closed by ensuring that foo.<suffix> only
unpacks into "foo". This could be done by checking the table of
contents of the tar file and erroring out if anything is amiss. Another
approach would be to invoke tar as "tar xf ... foo". The first approach
gives better feedback to the user if there is something amiss with the
tar file, but it'll take more code. (GNU tar, at least, protects
against things like foo/../.ssh/mumble; I don't know about other
variants of tar.)
To protect against accidental data loss, I recommend erroring out if
"foo" already exists, or asking the user for confirmation before
proceeding.
regards,
mike
[1] Emacs master, changeset 18c47695 from 21 February, running on Debian
stable.
next prev parent reply other threads:[~2017-03-06 17:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 3:50 bug#25611: 26.0.50; dired-do-compress unpacks .tgz files Mike Kupfer
2017-02-03 17:42 ` Glenn Morris
2017-03-05 0:01 ` Mike Kupfer
2017-03-06 10:53 ` Oleh Krehel
2017-03-06 17:28 ` Mike Kupfer [this message]
2017-03-06 17:51 ` Glenn Morris
2017-03-06 18:42 ` Mike Kupfer
2017-03-06 19:03 ` Mike Kupfer
2018-11-21 18:13 ` Glenn Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22647.1488821333@alto \
--to=mkupfer@alum.berkeley.edu \
--cc=25611@debbugs.gnu.org \
--cc=ohwoeowho@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.