Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Feb 2015 18:48:35 +0100
From: Vitezslav Cizek <vcizek@...e.cz>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: cpio -- directory traversal

Hi,

* Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:
> Hi!
> 
> cpio is susceptible to a directory traversal vulnerability via symlinks.

Here's a patch we use in SUSE for some time.
It forbids to write over symlinks, similar to bsdtar.
It also adds a new option "--extract-over-symlinks" to restore the original
behaviour.

I sent it to Sergey Poznyakoff (upstream maintainer) in July,
but there was no response.

Here's a corresponding bug in SUSE bugzilla:
https://bugzilla.suse.com/show_bug.cgi?id=658010

> Initial report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
> 
> Upstream report:
> https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
> 
> Some discussion:
> http://www.openwall.com/lists/oss-security/2015/01/07/5
> http://www.openwall.com/lists/oss-security/2015/01/08/4
> 
> Could CVE(s) please be assigned?
> 
> -- 
> Alexander Cherepanov

-- 
Vita Cizek

Index: cpio-2.11/src/copyin.c
===================================================================
--- cpio-2.11.orig/src/copyin.c	2014-07-01 14:02:39.991007263 +0200
+++ cpio-2.11/src/copyin.c	2014-07-22 16:05:28.171344584 +0200
@@ -686,6 +686,51 @@ copyin_link(struct cpio_file_stat *file_
   free (link_name);
 }
 .
+
+static int
+path_contains_symlink(char *path)
+{
+  struct stat st;
+  char *slash;
+  char *nextslash;
+
+  /* we got NULL pointer or empty string */
+  if (!path || !*path) {
+    return false;
+  }
+
+  slash = path;
+
+  while ((nextslash = strchr(slash + 1, '/')) != NULL) {
+    slash = nextslash;
+    *slash = '\0';
+
+    if (lstat(path, &st) != 0) {
+      if (errno == ELOOP) {
+        /* ELOOP - too many symlinks */
+        *slash = '/';
+        return true;
+      } else if (errno == ENOMEM) {
+        /* No memory for lstat - terminate */
+        xalloc_die();
+      } else {
+        /* cannot lstat path - give up */
+        *slash = '/';
+        return false;
+      }
+    }
+
+    if (S_ISLNK(st.st_mode)) {
+      *slash = '/';
+      return true;
+    }
+
+    *slash = '/';
+  }
+
+  return false;
+}
+
 static void
 copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
 {
@@ -1463,6 +1508,23 @@ process_copy_in ()
 	{
 	  /* Copy the input file into the directory structure.  */
 
+          /* Can we write files over symlinks? */
+          if (!extract_over_symlinks)
+            {
+              if (path_contains_symlink(file_hdr.c_name))
+                {
+                  /* skip the file */
+                  /*
+                  fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
+                  tape_toss_input (in_file_des, file_hdr.c_filesize);
+                  tape_skip_padding (in_file_des, file_hdr.c_filesize);
+                  continue;
+                  */
+                  /* terminate */
+	          error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
+                }
+            }
+
 	  /* Do we need to rename the file? */
 	  if (rename_flag || rename_batch_file)
 	    {
Index: cpio-2.11/src/global.c
===================================================================
--- cpio-2.11.orig/src/global.c	2014-07-17 16:33:09.768900927 +0200
+++ cpio-2.11/src/global.c	2014-07-21 17:45:58.563494706 +0200
@@ -187,6 +187,9 @@ bool to_stdout_option = false;
 /* The name this program was run with.  */
 char *program_name;
 
+/* Extract files over symbolic links */
+bool extract_over_symlinks;
+
 /* A pointer to either lstat or stat, depending on whether
    dereferencing of symlinks is done for input files.  */
 int (*xstat) ();
Index: cpio-2.11/src/main.c
===================================================================
--- cpio-2.11.orig/src/main.c	2014-07-01 14:02:39.840005051 +0200
+++ cpio-2.11/src/main.c	2014-07-17 20:33:47.839215571 +0200
@@ -57,7 +57,8 @@ enum cpio_options {
   FORCE_LOCAL_OPTION,            
   DEBUG_OPTION,                  
   BLOCK_SIZE_OPTION,             
-  TO_STDOUT_OPTION
+  TO_STDOUT_OPTION,
+  EXTRACT_OVER_SYMLINKS
 };
 
 const char *program_authors[] =
@@ -222,6 +223,8 @@ static struct argp_option options[] = {
    N_("Create leading directories where needed"), GRID+1 },
   {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
    N_("Do not change the ownership of the files"), GRID+1 },
+  {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
+   N_("Force writing over symbolic links"), GRID+1 },
   {"unconditional", 'u', NULL, 0,
    N_("Replace all files unconditionally"), GRID+1 },
   {"sparse", SPARSE_OPTION, NULL, 0,
@@ -413,6 +416,10 @@ crc newc odc bin ustar tar (all-caps als
       no_chown_flag = true;
       break;
 
+    case EXTRACT_OVER_SYMLINKS:		        /* --extract-over-symlinks */
+      extract_over_symlinks = true;
+      break;
+
     case 'o':		/* Copy-out mode.  */
       if (copy_function != 0)
 	error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
Index: cpio-2.11/src/extern.h
===================================================================
--- cpio-2.11.orig/src/extern.h	2014-07-01 14:02:39.907006032 +0200
+++ cpio-2.11/src/extern.h	2014-07-17 17:11:20.948908806 +0200
@@ -95,6 +95,7 @@ extern char input_is_special;
 extern char output_is_special;
 extern char input_is_seekable;
 extern char output_is_seekable;
+extern bool extract_over_symlinks;
 extern int (*xstat) ();
 extern void (*copy_function) ();
 .
Index: cpio-2.11/doc/cpio.1
===================================================================
--- cpio-2.11.orig/doc/cpio.1	2009-02-14 19:15:50.000000000 +0100
+++ cpio-2.11/doc/cpio.1	2014-07-21 23:00:33.878746855 +0200
@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
 [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
 [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
 [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
+[\-\-extract\-over\-symlinks]
 [\-\-help] [\-\-version] [pattern...] [< archive]
 
 .B cpio


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ