oss-sec mailing list archives
Re: Directory traversals in cpio and friends?
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Sat, 10 Jan 2015 23:44:46 +0300
On 2015-01-08 17:12, Florian Weimer wrote:
On 01/08/2015 12:43 AM, Alexander Cherepanov wrote:I've taken a look at how dir traversals are dealt with in several implementations of tar and cpio. The picture is kinda strange. First of all, I believe it's usually agreed that archivers must not touch files outside the current directory by default. Is there an authoritative link for this?Only if the current directory (or, more generally, the target directory for the extraction operation) is initially empty.
Thank you for bringing this up. I thought about it but didn't come to any conclusion myself.
If it already contains symbolic links, some users expect that those links are followed because they have used symlinks to move part of the file system tree to somewhere else (perhaps a large file system).
It's not clear to me that this expectation should trump the expectation to be able to safely extract several archives in the same directory. tar and bsdtar handle it differently. And links to previous discussions?
The only 'x' in the line for `cpio -i --no-absolute-filenames` seems to be a clear vuln. Reported here: https://bugs.debian.org/774669 and now sent to upstream ml.
It's here: http://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
Yes, that's inconsistent and looks like a bug worth fixing.
The only 'x' in the line for `bsdcpio -i` turned out to be a bug too: https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/8VMP28AIf2EJ -- Alexander Cherepanov
Current thread:
- Directory traversals in cpio and friends? Alexander Cherepanov (Jan 07)
- Re: Directory traversals in cpio and friends? Florian Weimer (Jan 08)
- Re: Directory traversals in cpio and friends? Alexander Cherepanov (Jan 10)
- Re: Directory traversals in cpio and friends? Jakub Wilk (Jan 09)
- Re: Directory traversals in cpio and friends? Florian Weimer (Jan 08)