On Fri, 30 Aug 2019 at 16:54, Thomas ☃ Habets <hab...@google.com> wrote: > > Check for size overflow in tar header fields. > > This prevents surprising outputs being created, e.g. this cpio tar > output with more than one file: > > tar cf suffix.tar AUTHORS > dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar > echo suffix.tar | cpio -H tar -o | tar tvf - > > -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar > -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS > > Patch attached, but also at https://cement.retrofitta.se/tmp/cpio-tar.patch
Hey again. Anyone looking at this? I think this is actually a security issue. This command looks safe, and is a reasonable "backup" command: find /home -type f | cpio -H tar -o > /var/backups/backup.tar But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the tar file can be made to have arbitrary content, so a restore could overwrite /etc/passwd or anything else under the restore tree, using any permissions. A world writable /dev/sda would also be bad, as would many other fun variants. Like user controlling /home/evil can inject /home/friendly/.bashrc content too. -- ☢ Thomas ☢
