Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8BB6E75C-C4E8-43D4-8E20-73E9212B971F@entrust.com>
Date: Thu, 24 Apr 2025 17:09:58 +0000
From: Ian Norton <Ian.Norton@...rust.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: [EXTERNAL] Re: vulnerabilities in busybox tar and
 cpio tools

On Wednesday 23 April 2025 at 17:04 Jakub Wilk <jwilk@...lk.net> wrote
> > CVE-2023-39810
> But it seems busybox committed a different patch, which looks good:
> https:/git.busybox.net/busybox/commit/?id=9a8796436b9b0641
> ("archival: disallow path traversals (CVE-2023-39810)")
>
> The essence of the patch is:
>
> +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
> +       /* Strip leading "/" and up to last "/../" path component */
> +       dst_name = (char *)strip_unsafe_prefix(dst_name);
> +#endif

Yes, that looks better, but it is still an opt-in. Users would need to compile
Busybox with the FEATURE_PATH_TRAVERSAL_PROTECTION feature enabled.

--
Ian

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.