The pathname canonicalization functionality in io/filesystem/filesystem.cc in Widelands before 15.1 expands leading ~ (tilde) characters to home-directory pathnames but does not restrict use of these characters in strings received from the network, which might allow remote attackers to conduct absolute path traversal attacks and overwrite arbitrary files via a ~ in a pathname that is used for a file transfer in an Internet game, a different vulnerability than CVE-2011-1932.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| http://bazaar.launchpad.net/~widelands-dev/widelands/build-15/revision/5021 | patch third party advisory release notes |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71626 | third party advisory vdb entry |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617960 | third party advisory issue tracking |