Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 08 Jan 2015 15:12:34 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Directory traversals in cpio and friends?

On 01/08/2015 12:43 AM, Alexander Cherepanov wrote:
> Hi!
>
> I've taken a look at how dir traversals are dealt with in several
> implementations of tar and cpio. The picture is kinda strange.
>
> First of all, I believe it's usually agreed that archivers must not
> touch files outside the current directory by default. Is there an
> authoritative link for this?

Only if the current directory (or, more generally, the target directory 
for the extraction operation) is initially empty.

If it already contains symbolic links, some users expect that those 
links are followed because they have used symlinks to move part of the 
file system tree to somewhere else (perhaps a large file system).

> The only 'x' in the line for `cpio -i --no-absolute-filenames` seems to
> be a clear vuln. Reported here: https://bugs.debian.org/774669 and now
> sent to upstream ml.

Yes, that's inconsistent and looks like a bug worth fixing.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.