On the 18th of March, 2026, it was discovered that
simplearchiver
was vulnerable to an issue in parsing existing archive files. In particular,
every version of
simplearchiver prior to version
2.7 is
vulnerable.
Some Background
simplearchiver
can be described as an alternative to
tar. It can create archives, and
test/extract them. Note that when testing or extracting a
simplearchiver
archive, a binary file is parsed according to the file format specification
(the format of which is specified here).
The Problem
The problem discovered in
simplearchiver was this: all paths parsed in
the archive file were not validated. Normally, this wouldn't be an issue, since
an archive file created with
simplearchiver is always properly created
according to the file format specification. However, such an archive file can be
edited by someone before being distributed to someone else. Again, this also
can be a non-issue since if anything important was being archived, the archive
would've been distributed with a cryptographic hash (like sha256) to verify its
validity.
The fix created for version
2.7 of
simplearchiver is to validate
every parsed single filename, directory name, and symbolic link name.
Specifically, it checks if any of these names/strings start with "../", end
with "/..", or has "/../" in between. If such a string exists, then
simplearchiver prints that there was an error, and halts parsing
immediately.
Implications of the Problem
For those unfamiliar with directory traversal (common on Unix systems), any
path that contains a ".." usually refers to the "previous directory". For
example, say there was the following directory structure:
outer_dir/
- inner_dir/
- another_dir/
If the current working directory is "another_dir" (by executing a command like
"cd outer_dir/inner_dir/another_dir"), then a command like "ls .." will print
the contents of "inner_dir", and "ls ../.." will print the contents of
"outer_dir".
As ".." refers to the previous dir, a command executed (from within
"another_dir") like "echo test > ../../test_file" will create a file called
"test_file" in the "outer_dir" directory.
The point is this: If
simplearchiver accepted paths that had ".." in
them, then when a maliciously crafted archive is parsed for extraction, it may
create and/or modify files not in the current directory (or the directory
specified by the "-C <dir>" passed to
simplearchiver).
Closing Remarks
Unfortunately, this kind of problem is
not uncommon.
Software development remains a type of work that is difficult to get things
right, especially on the first time. Luckily, there are
tools
to help identify and fix bugs, and there are ways to
harden software
to prevent other classes of bugs. It may be somewhat easy to introduce a bug in
one's software, but with the tooling available these days, it may be just as
easy to fix them. We can only hope that when such a bug appears, that it does
not cause a security issue for end-users, and that it is properly identified and
fixed before giving everyone a headache.