I do not know. I never had any feedback from the maintainers. #16018 is I think just as much of a problem as CVE-2023-39810.
In tar, you _are_ allowed to traverse outside the cwd (and use absolute paths) But because #16018 can be used to mask the output from `tar -t` it allows an attacker to defeat almost all manual or shell-scripted inspection of the archive that would allow a user to catch and prevent these traversals. From: busybox <busybox-boun...@busybox.net> on behalf of ChenQi <qi.c...@windriver.com> Date: Monday 31 March 2025 at 10:28 To: "busybox@busybox.net" <busybox@busybox.net> Subject: Re: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810) Will this patch be accepted? Or is it not suitable for busybox for some reason? Regards, Qi On 10/11/24 15: 54, Ian Norton wrote: FYI, This seems also related to https: //bugs. busybox. net/show_bug. cgi?id=16018 (my patch for fixing that seems to Will this patch be accepted? Or is it not suitable for busybox for some reason? Regards, Qi On 10/11/24 15:54, Ian Norton wrote: FYI, This seems also related to https://bugs.busybox.net/show_bug.cgi?id=16018<https://urldefense.com/v3/__https:/bugs.busybox.net/show_bug.cgi?id=16018__;!!AjveYdw8EvQ!f2UldcBUR334vfilzk9XSPVuUXlapWJg7SodH-cf9DaT0SZ37H_k2jSBAcD-h-Rbs1pbL8jmmsnlLyoPStBJcA$> (my patch for fixing that seems to have got lost in the mailing list noise) From: busybox <busybox-boun...@busybox.net><mailto:busybox-boun...@busybox.net> on behalf of Peter Kaestle <peter.kaes...@nokia.com><mailto:peter.kaes...@nokia.com> Date: Wednesday 2 October 2024 at 09:12 To: "busybox@busybox.net"<mailto:busybox@busybox.net> <busybox@busybox.net><mailto:busybox@busybox.net>, Denys Vlasenko <vda.li...@googlemail.com><mailto:vda.li...@googlemail.com> Cc: "martin.schob...@pentagrid.ch"<mailto:martin.schob...@pentagrid.ch> <martin.schob...@pentagrid.ch><mailto:martin.schob...@pentagrid.ch>, Peter Kaestle <peter.kaes...@nokia.com><mailto:peter.kaes...@nokia.com>, Samuel Sapalski <samuel.sapal...@nokia.com><mailto:samuel.sapal...@nokia.com> Subject: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810) Create new configure option for archival/libarchive based extractions to disallow path traversals. As this is a paranoid option and might introduce backward incompatibiltiy, default it to no. Fixes: CVE-2023-39810 Signed-off-by: Peter Kaestle Create new configure option for archival/libarchive based extractions to disallow path traversals. As this is a paranoid option and might introduce backward incompatibiltiy, default it to no. Fixes: CVE-2023-39810 Signed-off-by: Peter Kaestle <peter.kaes...@nokia.com><mailto:peter.kaes...@nokia.com> Reviewed-by: Samuel Sapalski <samuel.sapal...@nokia.com><mailto:samuel.sapal...@nokia.com> --- archival/Config.src | 7 +++++++ archival/libarchive/data_extract_all.c | 22 ++++++++++++++++++++++ testsuite/cpio.tests | 18 ++++++++++++++++++ 3 files changed, 47 insertions(+) diff --git a/archival/Config.src b/archival/Config.src index 6f4f30c43..ac9d3db95 100644 --- a/archival/Config.src +++ b/archival/Config.src @@ -35,4 +35,11 @@ config FEATURE_LZMA_FAST This option reduces decompression time by about 25% at the cost of a 1K bigger binary. +config FEATURE_PATH_TRAVERSAL_PROTECTION + bool "enable path traversal protection" + default n + help + This option will disallow extraction of files outside of the + destination directory. + endmenu diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c index 049c2c156..cb5d5c4ca 100644 --- a/archival/libarchive/data_extract_all.c +++ b/archival/libarchive/data_extract_all.c @@ -66,6 +66,28 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) } #endif +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION + if (strstr(dst_name, "../")) { + char *resolved_dst_path, *cwd; + + cwd = getcwd(NULL, 0); + + resolved_dst_path = xmalloc_realpath_coreutils(dst_name); + if (resolved_dst_path) { + if (strncmp(cwd, resolved_dst_path, strlen(cwd))) { + errno = 0; /* suppress missleading error prints */ + free(resolved_dst_path); + bb_perror_msg_and_die("path traversal detected: %s", + dst_name); + } + free(resolved_dst_path); + } else { + bb_perror_msg_and_die("cannot allocate memory for real path: %s", + dst_name); + } + } +#endif + if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) { char *slash = strrchr(dst_name, '/'); if (slash) { diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests index 85e746589..1c0b75297 100755 --- a/testsuite/cpio.tests +++ b/testsuite/cpio.tests @@ -154,6 +154,24 @@ testing "cpio -R with extract" \ " "" "" SKIP= +optional FEATURE_PATH_TRAVERSAL_PROTECTION +rm -rf cpio.testdir +mkdir -p cpio.testdir/prepare/inner +echo "file outside of destination was written" > cpio.testdir/prepare/dont_write +echo "data" > cpio.testdir/prepare/inner/to_extract +mkdir -p cpio.testdir/extract +testing "cpio extract file outside of destination" \ +"(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' | cpio -H newc --create) | +(cd cpio.testdir/extract && cpio -vi 2>&1); +echo \$?; +ls cpio.testdir/dont_write 2>&1" \ +"\ +cpio: path traversal detected: ../dont_write +1 +ls: cpio.testdir/dont_write: No such file or directory +" "" "" +SKIP= + # Clean up rm -rf cpio.testdir cpio.testdir2 2>/dev/null -- 2.42.0 _______________________________________________ busybox mailing list busybox@busybox.net<mailto:busybox@busybox.net> https://urldefense.com/v3/__http://lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$<https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$> Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. Wellbeing Notice: Receiving this email outside of normal working hours? Managing work and life responsibilities is unique for everyone. I have sent this email at a time that works for me. Unless this email is specifically marked urgent, please respond at a time that works for you. _______________________________________________ busybox mailing list busybox@busybox.net<mailto:busybox@busybox.net> http://lists.busybox.net/mailman/listinfo/busybox<https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!ePxy5t3w8ijW7UUQKoaZQB55OpWfQjSKR-fygaigoohDaqXfViZl03eRRN7l8JMNexUBWExElCVgB72ExkA$>
_______________________________________________ busybox mailing list busybox@busybox.net https://lists.busybox.net/mailman/listinfo/busybox
