npitre cramfs-tools Path Traversal Vulnerability in Directory Handler

A path traversal vulnerability has been identified in npitre cramfs-tools versions through 2.1. The issue resides in the Directory Handler component, specifically within the do_directory function of cramfsck.c. This vulnerability allows for manipulation that could lead to unauthorized file writes outside the intended extraction directory. The exploitation can only be carried out in a local environment. The vulnerability has been publicly disclosed and can be exploited by crafting a specific cramfs image. Upgrading to version 2.2 addresses this issue.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the designated extraction directory, potentially overwriting important files or disrupting firmware analysis processes that rely on proper filesystem extraction.

Reproduction

The vulnerability can be reproduced by creating a cramfs image with a directory entry name that includes path traversal components, such as '../'. This crafted image can then be extracted using the vulnerable version of the cramfsck tool, which will inadvertently write files outside the intended directory.

Remediation

Users are advised to upgrade to npitre cramfs-tools version 2.2, which includes the necessary fix for this vulnerability.