[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields

From: Thomas ☃ Habets
Subject: Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields
Date: Mon, 30 Sep 2019 10:52:47 +0100

On Fri, 30 Aug 2019 at 16:54, Thomas ☃ Habets <address@hidden> wrote:
>     Check for size overflow in tar header fields.
>     This prevents surprising outputs being created, e.g. this cpio tar
>     output with more than one file:
>     tar cf suffix.tar AUTHORS
>     dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
>     echo suffix.tar | cpio -H tar -o | tar tvf -
>     -rw-r--r-- 1000/1000       0 2019-08-30 16:40 suffix.tar
>     -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
> Patch attached, but also at https://cement.retrofitta.se/tmp/cpio-tar.patch

Hey again.

Anyone looking at this? I think this is actually a security issue.

This command looks safe, and is a reasonable "backup" command:
find /home -type f | cpio -H tar -o > /var/backups/backup.tar

But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the
tar file can be made to have arbitrary content, so a restore could
overwrite /etc/passwd or anything else under the restore tree, using any
permissions. A world writable /dev/sda would also be bad, as would many
other fun variants. Like user controlling /home/evil can inject
/home/friendly/.bashrc content too.

☢ Thomas ☢

reply via email to

[Prev in Thread] Current Thread [Next in Thread]