Re: [Bug-cpio] [PATCH] symlink target sanity check to prevent --no-absolute-filenames bypass

[Cedric Buissart]

Hi Pavel,

On Tue, Jun 6, 2017 at 11:43 AM, Pavel Raiskup <address@hidden> wrote:

Hi Cedric, thanks for the report!

On Monday, June 5, 2017 5:34:58 PM CEST Cedric Buissart wrote:
> Looking at cpio, i found what seems to be a way to bypass the
> --no-absolute-filenames option, which supposedly prevents data to be
> written outside of the current folder.

This sounds like real issue, according to 'info cpio':

    '--no-absolute-filenames'
         [*note copy-in::,*note copy-out::]
         Create all files relative to the current directory in copy-in mode,
         even if they have an absolute file name in the archive.

> The very naive patch attached makes use of safer_name_suffix() to sanitize
> symlink's value.

The patch implements uncommon behavior among archivers.  Extracting the
absolute symlink to directory _is not_ an issue (it is completely safe
operation); the following extraction of files through this symlink *might
be* an issue.  More importantly, valid extraction of absolute symlink is
often really desired even with --no-absolute-filenames.

Good point, the patch was too naive, but at least was simple :D.

In other words and IMO, if we were about to fix this issue - we should only
refuse to extract files through symlinks.

Through any symlinks, or only those created by the archive itself ?

The latter might look less restrictive, but what happens if a local attacker is able to create a symlink. Is it something that should be considered ?

Thanks!

Pavel

--

Cedric Buissart,
Product Security