On Mon, 30 Sep 2019 at 10:52, Thomas ☃ Habets <hab...@google.com> wrote: > On Fri, 30 Aug 2019 at 16:54, Thomas ☃ Habets <hab...@google.com> wrote: > > Check for size overflow in tar header fields. > > > > This prevents surprising outputs being created, e.g. this cpio tar > > output with more than one file: > > > > tar cf suffix.tar AUTHORS > > dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar > > echo suffix.tar | cpio -H tar -o | tar tvf - > > > > -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar > > -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS > > > > Patch attached, but also at https://cement.retrofitta.se/tmp/cpio-tar.patch > Anyone looking at this? I think this is actually a security issue.
Here's perhaps a clearer description of why it's a security issue: 1) Prep payload evil$ ls /home/evil evil$ ./generate_evil_data > /home/evil/foo.tar # (can have any name, not just .tar) 2) root user performs backup root# find /home -print0 | cpio -H tar -o > /var/backup/h.tar 3) root user restores root# cd / root# tar xf /var/backup/h.tar /home/evil/ 4) evil user uses newly created rootshell, or writes to /dev/sda evil$ ls -l /home/evil/ srwxr-xr-x 1 evil evil 61176 Aug 3 2018 /home/evil/rootshell brw-rw---- 1 evil evil 8, 0 Oct 7 11:21 /home/evil/sda-pwned evil$ /home/evil/rootshell -- ☢ Thomas ☢
