* Ian Norton <ian.nor...@entrust.com>, 2025-04-23 14:11:
https://security-tracker.debian.org/tracker/CVE-2023-39810
This is: "An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal."
see also https://lists.busybox.net/pipermail/busybox/2024-July/090851.html
This patch appears to be using a realpath(3)-like function, which is not a good tool for this purpose. The function is fundamentally racy, as it could traverse symlinks that are not under your control.
Even worse, on Linux systems you can abuse magic links in /proc to spoof what realpath(3) returns in a race-free manner (although that works only against yourself or root). See https://codeberg.org/jwilk/surrealpath for a proof of concept.
But it seems busybox committed a different patch, which looks good: https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641 ("archival: disallow path traversals (CVE-2023-39810)") The essence of the patch is: +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION + /* Strip leading "/" and up to last "/../" path component */ + dst_name = (char *)strip_unsafe_prefix(dst_name); +#endif -- Jakub Wilk
