oss-sec mailing list archives
Re: CVE Request: cpio -- directory traversal
From: none <ytrezq () sdf-eu org>
Date: Sun, 17 Apr 2016 16:25:31 +0200
On 2015-02-02 20:48, Vitezslav Cizek wrote:
* Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:cpio is susceptible to a directory traversal vulnerability via symlinks.Here's a patch we use in SUSE for some time.
Thanks for sharing!
It forbids to write over symlinks, similar to bsdtar.
Nice, this is a simple and easy approach. But I wonder if it's widely acceptable. GNU tar follows symlinks which are not extracted from thearchive and, in http://www.openwall.com/lists/oss-security/2015/01/08/4,Florian Weimer said: "If [the current directory] already contains symbolic links, some users expect that those links are followed because they have used symlinks to move part of the file system tree to somewhere else (perhaps a large file system)."
A year later, I see this bug is still not fixed.What about using the ɢɴᴜ tar way in that case. I mean delay the creation of symlinks until all fifo/device/regular files and directories are created ? (instead of following the oder in the archive)
Current thread:
- Re: CVE Request: cpio -- directory traversal none (Apr 17)