restic/changelog/0.8.0_2017-11-26/issue-1445
Alexander Neumann 84dcc3c396 Update changelog/ for new version of calens
We've reworked calens[1] a bit, the changelog/releases file is not
needed any more. Insteady, the release date is stored in the dir name
which contains the changelog entries.

[1] https://github.com/restic/calens
2018-02-16 23:05:58 +01:00

18 lines
972 B
Text

Security: Prevent writing outside the target directory during restore
A vulnerability was found in the restic restorer, which allowed attackers in
special circumstances to restore files to a location outside of the target
directory. Due to the circumstances we estimate this to be a low-risk
vulnerability, but urge all users to upgrade to the latest version of restic.
Exploiting the vulnerability requires a Linux/Unix system which saves backups
via restic and a Windows systems which restores files from the repo. In
addition, the attackers need to be able to create create files with arbitrary
names which are then saved to the restic repo. For example, by creating a file
named "..\test.txt" (which is a perfectly legal filename on Linux) and
restoring a snapshot containing this file on Windows, it would be written to
the parent of the target directory.
We'd like to thank Tyler Spivey for reporting this responsibly!
https://github.com/restic/restic/pull/1445