On Mon, 8 Jan 2024, Georgi Guninski wrote:
When extracting archives cpio (at least version 2.13) preserves the setuid flag, which might lead to privilege escalation.
So does for example tar. The same rules that apply to tar also apply to cpio:
"Extract from an untrusted archive only into an otherwise-empty directory. This directory and its parent should be accessible only to trusted users."
One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r without further interaction from root. We believe this is vulnerability, since directory traversal in cpio is considered vulnerability.
This is a user error, not a vulnerability in cpio. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
