This is due to the fact that a node name (dent_node.name) is considered trusted and joined to the extraction directory path during processing, then the node content is written to that joined path. Ubireader_extract_files is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). The attacker can choose to read sensitive information from that file, or modify the information in that file. For example, a local attacker can create /tmp/.sentry-native-etserver with mode 0777 before the etserver process is started. In Eternal Terminal 6.2.1, TelemetryService uses fixed paths in /tmp. Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.
