CVE-2021-39208: 
C# vulnerability analysis and mitigation

SharpCompress, a fully managed C# library for handling various compression types and formats, was found to be vulnerable to partial path traversal in versions prior to 0.29.0. The vulnerability, identified as CVE-2021-39208, was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski) on September 3, 2021, and was patched with the release of version 0.29.0 on September 12, 2021 (GitHub Release, GitHub Advisory).

The vulnerability exists in the WriteEntryToDirectory function used for archive extraction. When ExtractFullPath is set to true, SharpCompress recreates a directory hierarchy under the destinationDirectory. While the code verifies that the destinationFileName path begins with fullDestinationDirectoryPath to prevent extraction outside the destination directory, it fails to enforce that fullDestinationDirectoryPath ends with a slash. This oversight allows for partial path traversal (GitHub Advisory).

The vulnerability allows for arbitrary file creation with limited impact due to file name and destination directory constraints. For example, if the destinationDirectory is not slash-terminated (like /home/user/dir), it becomes possible to create a file with a name that begins with the destination directory one level up from the directory (i.e., /home/user/dir.sh) (GitHub Advisory).

The vulnerability was patched in SharpCompress version 0.29.0. Users should upgrade to this version or later to address the security issue. The fix ensures proper handling of destination directory paths and includes additional security checks (GitHub Release).