Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 06 Feb 2015 03:08:49 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: cpio -- directory traversal

On 2015-02-02 20:48, Vitezslav Cizek wrote:
> * Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:
>> cpio is susceptible to a directory traversal vulnerability via symlinks.
>
> Here's a patch we use in SUSE for some time.

Thanks for sharing!

> It forbids to write over symlinks, similar to bsdtar.

Nice, this is a simple and easy approach. But I wonder if it's widely 
acceptable. GNU tar follows symlinks which are not extracted from the 
archive and, in http://www.openwall.com/lists/oss-security/2015/01/08/4, 
Florian Weimer said: "If [the current directory] already contains 
symbolic links, some users expect that those links are followed because 
they have used symlinks to move part of the file system tree to 
somewhere else (perhaps a large file system)."

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ