Hi Pavel, On Tue, Jun 6, 2017 at 11:43 AM, Pavel Raiskup <prais...@redhat.com> wrote:
> Hi Cedric, thanks for the report! > > On Monday, June 5, 2017 5:34:58 PM CEST Cedric Buissart wrote: > > Looking at cpio, i found what seems to be a way to bypass the > > --no-absolute-filenames option, which supposedly prevents data to be > > written outside of the current folder. > > This sounds like real issue, according to 'info cpio': > > '--no-absolute-filenames' > [*note copy-in::,*note copy-out::] > Create all files relative to the current directory in copy-in > mode, > even if they have an absolute file name in the archive. > > > The very naive patch attached makes use of safer_name_suffix() to > sanitize > > symlink's value. > > The patch implements uncommon behavior among archivers. Extracting the > absolute symlink to directory _is not_ an issue (it is completely safe > operation); the following extraction of files through this symlink *might > be* an issue. More importantly, valid extraction of absolute symlink is > often really desired even with --no-absolute-filenames. > Good point, the patch was too naive, but at least was simple :D. > In other words and IMO, if we were about to fix this issue - we should only > refuse to extract files through symlinks. > Through any symlinks, or only those created by the archive itself ? The latter might look less restrictive, but what happens if a local attacker is able to create a symlink. Is it something that should be considered ? Thanks! > Pavel > > -- Cedric Buissart, Product Security
