Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <392f934a-f937-7b29-5f7f-5df3ee60d8a8@larma.de>
Date: Mon, 7 Jun 2021 10:54:03 -0600
From: Dino Team <team@...o.im>
To: oss-security@...ts.openwall.com
Subject: [CVE-2021-33896] Path traversal in Dino file transfers

### Affected software

Dino (Instant Messenger) - https://dino.im/

### Severity

Medium (4.7): AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

### Affected versions
- Release version 0.2.0
- Release version 0.1.1 and earlier
- Nightly version 0.2.0~git113.20210601.1ac16ecd and earlier

### Fixed versions
- Release version 0.2.1
- Release version 0.1.2
- Nightly version 0.2.0~git114.20210607.0c8d25b7

### Description

It was discovered that when a user receives and downloads a file in
Dino, URI-encoded path separators in the file name will be decoded,
allowing an attacker to traverse directories and create arbitrary files
in the context of the user.

This vulnerability does not allow to overwrite or modify existing files
and the attacker cannot control the executable flag of created files.
However, third-party software may be affected by newly created
configuration files, potentially allowing for code execution.

The file name, including path separators, is displayed to the user,
however, long file names are ellipsized in the middle of the file name,
allowing the attacker to hide the malicious path separators, as long as
the resulting file name has sufficient length.

### Advice

All deployments should upgrade to a fixed version or apply the patch
from commit 0c8d25b7a3e7a10a506f1e19b868fe9b0c761495.

### Credits

Many thanks to CTurt (Google) for discovering and reporting this issue.

### Links

- https://dino.im/security/cve-2021-33896/
- https://github.com/dino/dino/commit/0c8d25b7
- https://github.com/dino/dino/releases/tag/v0.2.1
- https://github.com/dino/dino/releases/tag/v0.1.2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33896
- https://nvd.nist.gov/vuln/detail/CVE-2021-33896

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.