Kindly ping
Is this an appropriate fix or do we need another solution?
Regards,
Qi
On 3/31/25 17:39, Ian Norton wrote:
I do not know. I never had any feedback from the maintainers. #16018
is I think just as much of a problem as CVE-2023-39810.
In tar, you _/are/_ allowed to traverse outside the cwd (and use
absolute paths) But because #16018 can be used to mask the output from
`tar -t` it allows an attacker to defeat almost all manual or
shell-scripted inspection of the archive that would allow a user to
catch and prevent these traversals.
*From: *busybox <[email protected]> on behalf of ChenQi
<[email protected]>
*Date: *Monday 31 March 2025 at 10:28
*To: *"[email protected]" <[email protected]>
*Subject: *Re: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path
traversals (CVE-2023-39810)
Will this patch be accepted? Or is it not suitable for busybox for
some reason? Regards, Qi On 10/11/24 15: 54, Ian Norton wrote: FYI,
This seems also related to
https: //bugs. busybox. net/show_bug. cgi?id=16018 (my patch for
fixing that seems to
Will this patch be accepted? Or is it not suitable for busybox for
some reason?
Regards,
Qi
On 10/11/24 15:54, Ian Norton wrote:
FYI, This seems also related to
https://bugs.busybox.net/show_bug.cgi?id=16018
<https://urldefense.com/v3/__https:/bugs.busybox.net/show_bug.cgi?id=16018__;!!AjveYdw8EvQ!f2UldcBUR334vfilzk9XSPVuUXlapWJg7SodH-cf9DaT0SZ37H_k2jSBAcD-h-Rbs1pbL8jmmsnlLyoPStBJcA$>
(my patch for fixing that seems to have got lost in the mailing
list noise)
*From: *busybox <[email protected]>
<mailto:[email protected]> on behalf of Peter Kaestle
<[email protected]> <mailto:[email protected]>
*Date: *Wednesday 2 October 2024 at 09:12
*To: *"[email protected]" <mailto:[email protected]>
<[email protected]> <mailto:[email protected]>, Denys Vlasenko
<[email protected]> <mailto:[email protected]>
*Cc: *"[email protected]"
<mailto:[email protected]>
<[email protected]>
<mailto:[email protected]>, Peter Kaestle
<[email protected]> <mailto:[email protected]>, Samuel
Sapalski <[email protected]>
<mailto:[email protected]>
*Subject: *[EXTERNAL] [RESEND(4) PATCH] archival: disallow path
traversals (CVE-2023-39810)
Create new configure option for archival/libarchive based
extractions to disallow path traversals. As this is a paranoid
option and might introduce backward incompatibiltiy, default it to
no. Fixes: CVE-2023-39810 Signed-off-by: Peter Kaestle
Create new configure option for archival/libarchive based
extractions to
disallow path traversals.
As this is a paranoid option and might introduce backward
incompatibiltiy, default it to no.
Fixes: CVE-2023-39810
Signed-off-by: Peter Kaestle <[email protected]>
<mailto:[email protected]>
Reviewed-by: Samuel Sapalski <[email protected]>
<mailto:[email protected]>
---
archival/Config.src | 7 +++++++
archival/libarchive/data_extract_all.c | 22 ++++++++++++++++++++++
testsuite/cpio.tests | 18 ++++++++++++++++++
3 files changed, 47 insertions(+)
diff --git a/archival/Config.src b/archival/Config.src
index 6f4f30c43..ac9d3db95 100644
--- a/archival/Config.src
+++ b/archival/Config.src
@@ -35,4 +35,11 @@ config FEATURE_LZMA_FAST
This option reduces decompression time by about 25%
at the cost of
a 1K bigger binary.
+config FEATURE_PATH_TRAVERSAL_PROTECTION
+ bool "enable path traversal protection"
+ default n
+ help
+ This option will disallow extraction of files
outside of the
+ destination directory.
+
endmenu
diff --git a/archival/libarchive/data_extract_all.c
b/archival/libarchive/data_extract_all.c
index 049c2c156..cb5d5c4ca 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -66,6 +66,28 @@ void FAST_FUNC
data_extract_all(archive_handle_t *archive_handle)
}
#endif
+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+ if (strstr(dst_name, "../")) {
+ char *resolved_dst_path, *cwd;
+
+ cwd = getcwd(NULL, 0);
+
+ resolved_dst_path =
xmalloc_realpath_coreutils(dst_name);
+ if (resolved_dst_path) {
+ if (strncmp(cwd,
resolved_dst_path, strlen(cwd))) {
+ errno
= 0; /* suppress missleading error prints */
+
free(resolved_dst_path);
+
bb_perror_msg_and_die("path traversal detected: %s",
+
dst_name);
+ }
+ free(resolved_dst_path);
+ } else {
+
bb_perror_msg_and_die("cannot allocate memory for real path: %s",
+
dst_name);
+ }
+ }
+#endif
+
if (archive_handle->ah_flags &
ARCHIVE_CREATE_LEADING_DIRS) {
char *slash = strrchr(dst_name, '/');
if (slash) {
diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
index 85e746589..1c0b75297 100755
--- a/testsuite/cpio.tests
+++ b/testsuite/cpio.tests
@@ -154,6 +154,24 @@ testing "cpio -R with extract" \
" "" ""
SKIP=
+optional FEATURE_PATH_TRAVERSAL_PROTECTION
+rm -rf cpio.testdir
+mkdir -p cpio.testdir/prepare/inner
+echo "file outside of destination was written" >
cpio.testdir/prepare/dont_write
+echo "data" > cpio.testdir/prepare/inner/to_extract
+mkdir -p cpio.testdir/extract
+testing "cpio extract file outside of destination" \
+"(cd cpio.testdir/prepare/inner && echo -e
'../dont_write\nto_extract' | cpio -H newc --create) |
+(cd cpio.testdir/extract && cpio -vi 2>&1);
+echo \$?;
+ls cpio.testdir/dont_write 2>&1" \
+"\
+cpio: path traversal detected: ../dont_write
+1
+ls: cpio.testdir/dont_write: No such file or directory
+" "" ""
+SKIP=
+
# Clean up
rm -rf cpio.testdir cpio.testdir2 2>/dev/null
--
2.42.0
_______________________________________________
busybox mailing list
[email protected]
https://urldefense.com/v3/__http://lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$
<https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$>
/Any email and files/attachments transmitted with it are intended
solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must
not copy, distribute or disclose of the information it contains.
_Please notify Entrust immediately and delete the message from
your system._/
*Wellbeing Notice:* Receiving this email outside of normal working
hours? Managing work and life responsibilities is unique for
everyone. I have sent this email at a time that works for me.
Unless this email is specifically marked urgent, please respond at
a time that works for you.
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
<https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!ePxy5t3w8ijW7UUQKoaZQB55OpWfQjSKR-fygaigoohDaqXfViZl03eRRN7l8JMNexUBWExElCVgB72ExkA$>
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
