Date: Sun, 17 Apr 2016 16:25:31 +0200 From: none <ytrezq@...-eu.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: cpio -- directory traversal On 2015-02-02 20:48, Vitezslav Cizek wrote: >> * Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov >> napsal: >>> cpio is susceptible to a directory traversal vulnerability via >>> symlinks. >> >> Here's a patch we use in SUSE for some time. > Thanks for sharing! >> It forbids to write over symlinks, similar to bsdtar. > Nice, this is a simple and easy approach. But I wonder if it's widely > acceptable. GNU tar follows symlinks which are not extracted from the > archive and, in > http://www.openwall.com/lists/oss-security/2015/01/08/4, > Florian Weimer said: "If [the current directory] already contains > symbolic links, some users expect that those links are followed because > they have used symlinks to move part of the file system tree to > somewhere else (perhaps a large file system)." A year later, I see this bug is still not fixed. What about using the ɢɴᴜ tar way in that case. I mean delay the creation of symlinks until all fifo/device/regular files and directories are created ? (instead of following the oder in the archive)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ