Will this patch be accepted? Or is it not suitable for busybox for some
reason?
Regards,
Qi
On 10/11/24 15:54, Ian Norton wrote:
FYI, This seems also related to
https://bugs.busybox.net/show_bug.cgi?id=16018
<https://urldefense.com/v3/__https://bugs.busybox.net/show_bug.cgi?id=16018__;!!AjveYdw8EvQ!f2UldcBUR334vfilzk9XSPVuUXlapWJg7SodH-cf9DaT0SZ37H_k2jSBAcD-h-Rbs1pbL8jmmsnlLyoPStBJcA$>
(my patch for fixing that seems to have got lost in the mailing list
noise)
*From: *busybox <busybox-boun...@busybox.net> on behalf of Peter
Kaestle <peter.kaes...@nokia.com>
*Date: *Wednesday 2 October 2024 at 09:12
*To: *"busybox@busybox.net" <busybox@busybox.net>, Denys Vlasenko
<vda.li...@googlemail.com>
*Cc: *"martin.schob...@pentagrid.ch" <martin.schob...@pentagrid.ch>,
Peter Kaestle <peter.kaes...@nokia.com>, Samuel Sapalski
<samuel.sapal...@nokia.com>
*Subject: *[EXTERNAL] [RESEND(4) PATCH] archival: disallow path
traversals (CVE-2023-39810)
Create new configure option for archival/libarchive based extractions
to disallow path traversals. As this is a paranoid option and might
introduce backward incompatibiltiy, default it to no. Fixes:
CVE-2023-39810 Signed-off-by: Peter Kaestle
Create new configure option for archival/libarchive based extractions to
disallow path traversals.
As this is a paranoid option and might introduce backward
incompatibiltiy, default it to no.
Fixes: CVE-2023-39810
Signed-off-by: Peter Kaestle <peter.kaes...@nokia.com>
Reviewed-by: Samuel Sapalski <samuel.sapal...@nokia.com>
---
archival/Config.src | 7 +++++++
archival/libarchive/data_extract_all.c | 22 ++++++++++++++++++++++
testsuite/cpio.tests | 18 ++++++++++++++++++
3 files changed, 47 insertions(+)
diff --git a/archival/Config.src b/archival/Config.src
index 6f4f30c43..ac9d3db95 100644
--- a/archival/Config.src
+++ b/archival/Config.src
@@ -35,4 +35,11 @@ config FEATURE_LZMA_FAST
This option reduces decompression time by about 25% at
the cost of
a 1K bigger binary.
+config FEATURE_PATH_TRAVERSAL_PROTECTION
+ bool "enable path traversal protection"
+ default n
+ help
+ This option will disallow extraction of files outside of the
+ destination directory.
+
endmenu
diff --git a/archival/libarchive/data_extract_all.c
b/archival/libarchive/data_extract_all.c
index 049c2c156..cb5d5c4ca 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -66,6 +66,28 @@ void FAST_FUNC data_extract_all(archive_handle_t
*archive_handle)
}
#endif
+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+ if (strstr(dst_name, "../")) {
+ char *resolved_dst_path, *cwd;
+
+ cwd = getcwd(NULL, 0);
+
+ resolved_dst_path =
xmalloc_realpath_coreutils(dst_name);
+ if (resolved_dst_path) {
+ if (strncmp(cwd,
resolved_dst_path, strlen(cwd))) {
+ errno = 0;
/* suppress missleading error prints */
+
free(resolved_dst_path);
+
bb_perror_msg_and_die("path traversal detected: %s",
+
dst_name);
+ }
+ free(resolved_dst_path);
+ } else {
+
bb_perror_msg_and_die("cannot allocate memory for real path: %s",
+
dst_name);
+ }
+ }
+#endif
+
if (archive_handle->ah_flags &
ARCHIVE_CREATE_LEADING_DIRS) {
char *slash = strrchr(dst_name, '/');
if (slash) {
diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
index 85e746589..1c0b75297 100755
--- a/testsuite/cpio.tests
+++ b/testsuite/cpio.tests
@@ -154,6 +154,24 @@ testing "cpio -R with extract" \
" "" ""
SKIP=
+optional FEATURE_PATH_TRAVERSAL_PROTECTION
+rm -rf cpio.testdir
+mkdir -p cpio.testdir/prepare/inner
+echo "file outside of destination was written" >
cpio.testdir/prepare/dont_write
+echo "data" > cpio.testdir/prepare/inner/to_extract
+mkdir -p cpio.testdir/extract
+testing "cpio extract file outside of destination" \
+"(cd cpio.testdir/prepare/inner && echo -e
'../dont_write\nto_extract' | cpio -H newc --create) |
+(cd cpio.testdir/extract && cpio -vi 2>&1);
+echo \$?;
+ls cpio.testdir/dont_write 2>&1" \
+"\
+cpio: path traversal detected: ../dont_write
+1
+ls: cpio.testdir/dont_write: No such file or directory
+" "" ""
+SKIP=
+
# Clean up
rm -rf cpio.testdir cpio.testdir2 2>/dev/null
--
2.42.0
_______________________________________________
busybox mailing list
busybox@busybox.net
https://urldefense.com/v3/__http://lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$
<https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$>
/Any email and files/attachments transmitted with it are intended
solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not
copy, distribute or disclose of the information it contains. _Please
notify Entrust immediately and delete the message from your system._/
*Wellbeing Notice:* Receiving this email outside of normal working
hours? Managing work and life responsibilities is unique for everyone.
I have sent this email at a time that works for me.
Unless this email is specifically marked urgent, please respond at a
time that works for you.
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
busybox@busybox.net
https://lists.busybox.net/mailman/listinfo/busybox
