Hi all, This issue was assigned a CVE: CVE-2017-7516 On Tue, Jul 4, 2017 at 3:39 PM, Cedric Buissart <cbuis...@redhat.com> wrote:
> Attempt. n°3 : followed the GNU coding standards and added a testsuite case > > On Thu, Jun 15, 2017 at 9:37 PM, Cedric Buissart <cbuis...@redhat.com> > wrote: > >> Attempt n.2 : >> Created a function that walks the whole path. If anything not-directory >> is found, return an error. If the path is not fully created, we consider >> that a success and let cpio decides when time has come. >> Files will be skipped if no-absolute-path is set and error is return. >> >> On Wed, Jun 7, 2017 at 10:46 AM, Pavel Raiskup <prais...@redhat.com> >> wrote: >> >>> On Wednesday, June 7, 2017 10:07:21 AM CEST Cedric Buissart wrote: >>> > > In other words and IMO, if we were about to fix this issue - we >>> should only >>> > > refuse to extract files through symlinks. >>> > >>> > Through any symlinks, or only those created by the archive itself ? >>> >>> Remembering the extracted links might be expensive, and with >>> --no-absolute-filenames we want to stay in CWD anyway - no matter how >>> the links >>> in CWD were created. >>> >>> > The latter might look less restrictive, but what happens if a local >>> > attacker is able to create a symlink. Is it something that should be >>> > considered ? >>> >>> Usually user should avoid races manually when running archiver: >>> https://www.gnu.org/software/tar/manual/html_node/Race-conditions.html >> >> based on the above, I did not try to avoid races. >> >>> >>> >>> Pavel >>> >>> >>> >>> >> >> >> -- >> Cedric Buissart, >> Product Security >> > > > > -- > Cedric Buissart, > Product Security > -- Cedric Buissart, Product Security
