|
| From: | Cedric Buissart |
| Subject: | [Bug-cpio] [CVE-2017-7516] Re: [PATCH] symlink target sanity check to prevent --no-absolute-filenames bypass |
| Date: | Mon, 29 Jan 2018 14:53:50 +0100 |
Attempt. n°3 : followed the GNU coding standards and added a testsuite caseOn Thu, Jun 15, 2017 at 9:37 PM, Cedric Buissart <address@hidden> wrote:Attempt n.2 :Files will be skipped if no-absolute-path is set and error is return.
Created a function that walks the whole path. If anything not-directory is found, return an error. If the path is not fully created, we consider that a success and let cpio decides when time has come.On Wed, Jun 7, 2017 at 10:46 AM, Pavel Raiskup <address@hidden> wrote:On Wednesday, June 7, 2017 10:07:21 AM CEST Cedric Buissart wrote:
> > In other words and IMO, if we were about to fix this issue - we should only
> > refuse to extract files through symlinks.
>
> Through any symlinks, or only those created by the archive itself ?
Remembering the extracted links might be expensive, and with
--no-absolute-filenames we want to stay in CWD anyway - no matter how the links
in CWD were created.
> The latter might look less restrictive, but what happens if a local
> attacker is able to create a symlink. Is it something that should be
> considered ?
Usually user should avoid races manually when running archiver:
https://www.gnu.org/software/tar/manual/html_node/Race-condi tions.html based on the above, I did not try to avoid races.
Pavel
--Cedric Buissart,
Product Security
--Cedric Buissart,
Product Security
| [Prev in Thread] | Current Thread | [Next in Thread] |