[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] symlink target sanity check to prevent --no-absol

From: Cedric Buissart
Subject: Re: [Bug-cpio] [PATCH] symlink target sanity check to prevent --no-absolute-filenames bypass
Date: Wed, 7 Jun 2017 10:07:21 +0200

Hi Pavel,

On Tue, Jun 6, 2017 at 11:43 AM, Pavel Raiskup <address@hidden> wrote:
Hi Cedric, thanks for the report!

On Monday, June 5, 2017 5:34:58 PM CEST Cedric Buissart wrote:
> Looking at cpio, i found what seems to be a way to bypass the
> --no-absolute-filenames option, which supposedly prevents data to be
> written outside of the current folder.

This sounds like real issue, according to 'info cpio':

         [*note copy-in::,*note copy-out::]
         Create all files relative to the current directory in copy-in mode,
         even if they have an absolute file name in the archive.

> The very naive patch attached makes use of safer_name_suffix() to sanitize
> symlink's value.

The patch implements uncommon behavior among archivers.  Extracting the
absolute symlink to directory _is not_ an issue (it is completely safe
operation); the following extraction of files through this symlink *might
be* an issue.  More importantly, valid extraction of absolute symlink is
often really desired even with --no-absolute-filenames.
Good point, the patch was too naive, but at least was simple :D.

In other words and IMO, if we were about to fix this issue - we should only
refuse to extract files through symlinks.
Through any symlinks, or only those created by the archive itself ?
The latter might look less restrictive, but what happens if a local attacker is able to create a symlink. Is it something that should be considered ?



Cedric Buissart,
Product Security

reply via email to

[Prev in Thread] Current Thread [Next in Thread]