Re: pax: directory traversal (from CVE request)

2015-02-12 Thread Philip Guenther 
On Tue, Jan 13, 2015 at 4:58 AM, Daniel Cegiełka
daniel.cegie...@gmail.com wrote:
 http://www.openwall.com/lists/oss-security/2015/01/07/5

 Does someone can confirm this vulnerability? It's probably the problem
 of OpenBSD-derived (?) pax.

Thanks for bringing this to our attention!

After much thrashing around, I believe I've got the tar issues
addressed in -current.  We probably won't add an option for cpio to
match tar's -P option (we aren't big fans of --long-options and what
masochist uses cpio for anything but a historical application?), but
adding a -o suboption to pax to match tar's -P is probably in order.

Let me know if you find I've missed anything.


Errata for 5.5/5.6 will occur when travel interruptions permit.


Philip Guenther

pax: directory traversal (from CVE request)

2015-01-12 Thread Daniel Cegiełka 
http://www.openwall.com/lists/oss-security/2015/01/07/5

Does someone can confirm this vulnerability? It's probably the problem
of OpenBSD-derived (?) pax.

Best regards,
Daniel

Re: pax: directory traversal (from CVE request)

2015-01-12 Thread Ted Unangst 
On Mon, Jan 12, 2015 at 19:58, Daniel Cegiełka wrote:
 http://www.openwall.com/lists/oss-security/2015/01/07/5
 
 Does someone can confirm this vulnerability? It's probably the problem
 of OpenBSD-derived (?) pax.

The following is incomplete I think (doesn't handle arcn-ln_name),
but seems to do the right thing with a few test archives I've created.

Index: pat_rep.c
===
RCS file: /cvs/src/bin/pax/pat_rep.c,v
retrieving revision 1.34
diff -u -p -r1.34 pat_rep.c
--- pat_rep.c   24 May 2014 18:51:00 -  1.34
+++ pat_rep.c   12 Jan 2015 19:45:17 -
@@ -632,6 +632,32 @@ mod_name(ARCHD *arcn)
paxwarn(0, Removing leading / from absolute path names 
in the archive);
}
}
+   if (rmleadslash) {
+   char *p, *prev;
+
+   while ((p = strstr(arcn-name, /../))) {
+   *p = 0; /* overwrite for benefit of strrchr */
+   prev = strrchr(arcn-name, '/');
+   if (prev) {
+   memmove(prev, p + 4, strlen(p + 4) + 1);
+   arcn-nlen -= p + 4 - prev;
+   } else {
+   memmove(arcn-name, p + 4, strlen(p + 4) + 1);
+   }
+   if (rmleadslash  3) {
+   rmleadslash = 3;
+   paxwarn(0, Removing /../ from path names in 
the archive);
+   }
+   }
+   while (strstr(arcn-name, ../) == arcn-name) {
+   memmove(arcn-name, arcn-name + 3, strlen(arcn-name + 
3) + 1);
+   arcn-nlen -= 3;
+   if (rmleadslash  3) {
+   rmleadslash = 3;
+   paxwarn(0, Removing leading .. from path names 
in the archive);
+   }
+   }
+   }
 
/*
 * IMPORTANT: We have a problem. what do we do with symlinks?