oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: BusyBox tar directory traversal

From: Robert Watson <robertcwatson1 () gmail com>
Date: Thu, 22 Oct 2015 22:40:29 -0400
Apologies if I'm naive but... since /tmp is world writable, how is this a
vulnerability?




*Trust in truth keeps hope aliverobertcwatson1 () gmail com
<robertcwatson1 () gmail com>www.docsalvage.info
<http://www.docsalvage.info>www.CivicChorale.org
<http://www.CivicChorale.org>*
<http://www.wunderground.com/cgi-bin/findweather/getForecast?query=Tallahassee,%20FL>
<https://www.healthcare.gov/>

On Wed, Oct 21, 2015 at 11:36 AM, Tyler Hicks <tyhicks () canonical com> wrote:


Hello - The BusyBox implementation of tar will extract a symlink that
points outside of the current working directory and then follow that
symlink when extracting other files. This allows for a directory
traversal attack when extracting untrusted tarballs.

This behavior was documented in the BusyBox source with the following
2011 commit:


http://git.busybox.net/busybox/commit/?id=a116552869db5e7793ae10968eb3c962c69b3d8c

I've created an upstream bug report:

  https://bugs.busybox.net/8411

Can we get a CVE assigned to track this? Thanks!

Tyler
Previous By Date Next
Previous By Thread Next

Current thread: