oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution

From: Vincent Lefevre <vincent () vinc17 net>
Date: Mon, 11 Aug 2025 04:22:20 +0200
On 2025-08-09 22:55:14 -0700, lunbun wrote:

If, say, the archive is extracted to `/tmp` and the CWD is `/tmp`, then
yes, the best an attacker can do is guess the user's login name.


There are other issues with /tmp. If I understand correctly,
the attacker could create /tmp/config.guess and /tmp/install-sh
executable files. Then if the user compiles a libtool-based
library under a subdirectory of /tmp, one of these files could
be executed:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21951

And what about the /run/user/1000 directory? (In Debian,
the UID of the main user always seems to be 1000.)

-- 
Vincent Lefèvre <vincent () vinc17 net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Previous By Date Next
Previous By Thread Next

Current thread: