oss-sec mailing list archives
Re: CVE Request: cpio -- directory traversal
From: Alexander Cherepanov <ch3root () openwall com>
Date: Fri, 06 Feb 2015 03:08:49 +0300
On 2015-02-02 20:48, Vitezslav Cizek wrote:
* Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:cpio is susceptible to a directory traversal vulnerability via symlinks.Here's a patch we use in SUSE for some time.
Thanks for sharing!
It forbids to write over symlinks, similar to bsdtar.
Nice, this is a simple and easy approach. But I wonder if it's widely acceptable. GNU tar follows symlinks which are not extracted from the archive and, in http://www.openwall.com/lists/oss-security/2015/01/08/4, Florian Weimer said: "If [the current directory] already contains symbolic links, some users expect that those links are followed because they have used symlinks to move part of the file system tree to somewhere else (perhaps a large file system)."
-- Alexander Cherepanov
Current thread:
- CVE Request: cpio -- directory traversal Alexander Cherepanov (Jan 15)
- Re: CVE Request: cpio -- directory traversal Lyndon Nerenberg (Jan 15)
- Re: CVE Request: cpio -- directory traversal Alexander Cherepanov (Jan 15)
- Re: CVE Request: cpio -- directory traversal cve-assign (Jan 18)
- Re: CVE Request: cpio -- directory traversal Vitezslav Cizek (Feb 02)
- Re: CVE Request: cpio -- directory traversal Alexander Cherepanov (Feb 05)
- Re: CVE Request: cpio -- directory traversal Lyndon Nerenberg (Jan 15)