Date: Fri, 06 Feb 2015 03:08:49 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: cpio -- directory traversal On 2015-02-02 20:48, Vitezslav Cizek wrote: > * Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal: >> cpio is susceptible to a directory traversal vulnerability via symlinks. > > Here's a patch we use in SUSE for some time. Thanks for sharing! > It forbids to write over symlinks, similar to bsdtar. Nice, this is a simple and easy approach. But I wonder if it's widely acceptable. GNU tar follows symlinks which are not extracted from the archive and, in http://www.openwall.com/lists/oss-security/2015/01/08/4, Florian Weimer said: "If [the current directory] already contains symbolic links, some users expect that those links are followed because they have used symlinks to move part of the file system tree to somewhere else (perhaps a large file system)." -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ