[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields
From: |
Thomas ☃ Habets |
Subject: |
Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields |
Date: |
Mon, 30 Sep 2019 10:52:47 +0100 |
On Fri, 30 Aug 2019 at 16:54, Thomas ☃ Habets <address@hidden> wrote:
>
> Check for size overflow in tar header fields.
>
> This prevents surprising outputs being created, e.g. this cpio tar
> output with more than one file:
>
> tar cf suffix.tar AUTHORS
> dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
> echo suffix.tar | cpio -H tar -o | tar tvf -
>
> -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar
> -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
>
> Patch attached, but also at https://cement.retrofitta.se/tmp/cpio-tar.patch
Hey again.
Anyone looking at this? I think this is actually a security issue.
This command looks safe, and is a reasonable "backup" command:
find /home -type f | cpio -H tar -o > /var/backups/backup.tar
But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the
tar file can be made to have arbitrary content, so a restore could
overwrite /etc/passwd or anything else under the restore tree, using any
permissions. A world writable /dev/sda would also be bad, as would many
other fun variants. Like user controlling /home/evil can inject
/home/friendly/.bashrc content too.
--
☢ Thomas ☢
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields,
Thomas ☃ Habets <=