ArchLinux: 202107-35: dino: directory traversal | LinuxSecurity.com

Advisories

Arch Linux Security Advisory ASA-202107-35
==========================================

Severity: Medium
Date    : 2021-07-20
CVE-ID  : CVE-2021-33896
Package : dino
Type    : directory traversal
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2043

Summary
=======

The package dino before version 0.2.1-1 is vulnerable to directory
traversal.

Resolution
==========

Upgrade to 0.2.1-1.

# pacman -Syu "dino>=0.2.1-1"

The problem has been fixed upstream in version 0.2.1.

Workaround
==========

None.

Description
===========

It was discovered that when a user receives and downloads a file in
Dino before version 0.2.1, URI-encoded path separators in the file name
will be decoded, allowing an attacker to traverse directories and
create arbitrary files in the context of the user.

This vulnerability does not allow to overwrite or modify existing files
and the attacker cannot control the executable flag of created files.
However, third-party software may be affected by newly created
configuration files, potentially allowing for code execution.

The file name, including path separators, is displayed to the user,
however, long file names are ellipsized in the middle of the file name,
allowing the attacker to hide the malicious path separators, as long as
the resulting file name has sufficient length.

Impact
======

A remote attacker could create files in arbitrary locations in the
context of the user by tricking the user into downloading a file with a
crafted file name.

References
==========

https://dino.im/security/cve-2021-33896/
https://github.com/dino/dino/commit/1eaad1ccfbd00c6e76650535496531c172453994
https://security.archlinux.org/CVE-2021-33896

ArchLinux: 202107-35: dino: directory traversal

July 20, 2021
The package dino before version 0.2.1-1 is vulnerable to directory traversal

Summary

It was discovered that when a user receives and downloads a file in Dino before version 0.2.1, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user.
This vulnerability does not allow to overwrite or modify existing files and the attacker cannot control the executable flag of created files. However, third-party software may be affected by newly created configuration files, potentially allowing for code execution.
The file name, including path separators, is displayed to the user, however, long file names are ellipsized in the middle of the file name, allowing the attacker to hide the malicious path separators, as long as the resulting file name has sufficient length.

Resolution

Upgrade to 0.2.1-1.
# pacman -Syu "dino>=0.2.1-1"
The problem has been fixed upstream in version 0.2.1.

References

https://dino.im/security/cve-2021-33896/ https://github.com/dino/dino/commit/1eaad1ccfbd00c6e76650535496531c172453994 https://security.archlinux.org/CVE-2021-33896

Severity
CVE-ID : CVE-2021-33896
Package : dino
Type : directory traversal
Remote : Yes
Link : https://security.archlinux.org/AVG-2043

Impact

A remote attacker could create files in arbitrary locations in the context of the user by tricking the user into downloading a file with a crafted file name.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.