Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 10 Jan 2015 23:44:46 +0300
From: Alexander Cherepanov <cherepan@...me.ru>
To: oss-security@...ts.openwall.com
Subject: Re: Directory traversals in cpio and friends?

On 2015-01-08 17:12, Florian Weimer wrote:
> On 01/08/2015 12:43 AM, Alexander Cherepanov wrote:
>> I've taken a look at how dir traversals are dealt with in several
>> implementations of tar and cpio. The picture is kinda strange.
>>
>> First of all, I believe it's usually agreed that archivers must not
>> touch files outside the current directory by default. Is there an
>> authoritative link for this?
>
> Only if the current directory (or, more generally, the target directory
> for the extraction operation) is initially empty.

Thank you for bringing this up. I thought about it but didn't come to 
any conclusion myself.

> If it already contains symbolic links, some users expect that those
> links are followed because they have used symlinks to move part of the
> file system tree to somewhere else (perhaps a large file system).

It's not clear to me that this expectation should trump the expectation 
to be able to safely extract several archives in the same directory. tar 
and bsdtar handle it differently. And links to previous discussions?

>> The only 'x' in the line for `cpio -i --no-absolute-filenames` seems to
>> be a clear vuln. Reported here: https://bugs.debian.org/774669 and now
>> sent to upstream ml.

It's here:

http://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html

> Yes, that's inconsistent and looks like a bug worth fixing.

The only 'x' in the line for `bsdcpio -i` turned out to be a bug too:

https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/8VMP28AIf2EJ

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.