On Wednesday 23 April 2025 at 17:04 Jakub Wilk <jw...@jwilk.net> wrote
> > CVE-2023-39810
> But it seems busybox committed a different patch, which looks good:
> https:/git.busybox.net/busybox/commit/?id=9a8796436b9b0641
> ("archival: disallow path traversals (CVE-2023-39810)")
>
> The essence of the patch is:
>
> +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
> + /* Strip leading "/" and up to last "/../" path component */
> + dst_name = (char *)strip_unsafe_prefix(dst_name);
> +#endif
Yes, that looks better, but it is still an opt-in. Users would need to compile
Busybox with the FEATURE_PATH_TRAVERSAL_PROTECTION feature enabled.
--
Ian
Any email and files/attachments transmitted with it are intended solely for the
use of the individual or entity to whom they are addressed. If this message has
been sent to you in error, you must not copy, distribute or disclose of the
information it contains. Please notify Entrust immediately and delete the
message from your system.
