Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8d3bc49e3cb55d99d9fa35c648f69451@mx.sdfeu.org>
Date: Sun, 17 Apr 2016 16:25:31 +0200
From: none <ytrezq@...-eu.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: cpio -- directory traversal

On 2015-02-02 20:48, Vitezslav Cizek wrote:
>> * Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov 
>> napsal:
>>> cpio is susceptible to a directory traversal vulnerability via 
>>> symlinks.
>> 
>> Here's a patch we use in SUSE for some time.

> Thanks for sharing!

>> It forbids to write over symlinks, similar to bsdtar.

> Nice, this is a simple and easy approach. But I wonder if it's widely
> acceptable. GNU tar follows symlinks which are not extracted from the
> archive and, in 
> http://www.openwall.com/lists/oss-security/2015/01/08/4,
> Florian Weimer said: "If [the current directory] already contains
> symbolic links, some users expect that those links are followed because
> they have used symlinks to move part of the file system tree to
> somewhere else (perhaps a large file system)."

A year later, I see this bug is still not fixed.

What about using the ɢɴᴜ tar way in that case. I mean delay the creation 
of symlinks until all fifo/device/regular files and directories are 
created ? (instead of following the oder in the archive)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.