Re busybox tar hidden filename exploit

Hello all. A few weeks back I logged https://bugs.busybox.net/show_bug.cgi?id=16018 but it doesn’t seem to have had any attention so I thought I’d reach out here. The bug in question shouldn’t be a serious issue for any kind of well written automated scripting, but anyone using a terminal to vi

Re: Re busybox tar hidden filename exploit

that would escape any non-ascii would have been my first instinct too though perhaps that would not work so well on non 8-bit charsets. Ian From: Walter Harms Date: Monday, 24 June 2024 at 09:04 To: Ian Norton , busybox@busybox.net Subject: [EXTERNAL] AW: Re busybox tar hidden filename

Re: Re busybox tar hidden filename exploit

Looking at header_list() and header_verbose_list(). Fixing it _properly_ would include some awareness of the current charset and terminal type I think. At the very least I guess we could transform all the escape chars and feed chars to a “?” maybe? From: busybox on behalf of Ian Norton Date

Re: [EXTERNAL] Re: AW: Re busybox tar hidden filename exploit

From: busybox on behalf of Michael Conrad mcon...@intellitree.com > The underlying root problem here is the same as SQL injection or HTML > cross-site scripting attacks. > You have data, and you emit it in a context that is expecting a > language/protocol of some

Re: [EXTERNAL] Re: Re busybox tar hidden filename exploit

I will try to produce a small patch to solve the main issue (masking filenames when listing archive content) my back-of-the napkin idea is to simply replace the following bytes with “?” when printing them via the header list function: 0x08 (backspace) 0x09 (htab) 0x0a (line feed) 0x0b (vtab) 0x0

[PATCH 1/1] Stop tar printing unsafe archive lists to stdout

Fixes #16018 by preventing the output of terminal/formatting codes to stdout when listing archive content See https://bugs.busybox.net/show_bug.cgi?id=16018 If stdout is a TTY unsafe chars are replaced with '?': Before: $ busybox tar -tf bad.tar a-totally-innocent-looking-filename.txt After: $

Re: [EXTERNAL] Re: [PATCH 1/1] Stop tar printing unsafe archive lists to stdout

On Monday 8 July 2024 Steffen Nurpmeso wrote: > Seeing diff hunk context i myself would then do (maybe, likely) char c; while((c = *msg++) != '\0') fputc((isprint_asciionly(c) ? c : '?'), fd); |+ } else { |+ fprintf(fd, "%s",

Re: [EXTERNAL] Re: [PATCH 1/1] Stop tar printing unsafe archive lists to stdout

On 08/07/2024, 20:58, "Ian Norton" mailto:ian.nor...@entrust.com>> wrote: > On Monday 8 July 2024 Steffen Nurpmeso <mailto:stef...@sdaoden.eu>> wrote: > > But then I did a grep and found unicode_conv_to_printable(). > > How about simply using this?? &g

[PATCH 1/1] Stop tar printing unsafe archive lists to stdout

Prevent unprintable bytes including terminal escapes being printed when listing tar file contents in a terminal as this can be used to hide malicious archive content from users prior to unpacking a file. Re #16018 Also added bb_safe_dump_str() to include/libbb.h --- archival/libarchive/header_li

Re: [EXTERNAL] networking: compilation error on ubuntu 24

Is it failing to find rtnetlink.h ? Have you installed linux-libc6-dev ? From: busybox on behalf of "dalton.c.russell" Date: Thursday 11 July 2024 at 13:14 To: "busybox@busybox.net" Subject: [EXTERNAL] networking: compilation error on ubuntu 24 hey all, I'm running into multiple errors whil

Re: [EXTERNAL] networking: compilation error on ubuntu 24

This looks like: http://lists.busybox.net/pipermail/busybox-cvs/2024-January/041752.html On 11/07/2024, 14:15, "Ian Norton" mailto:ian.nor...@entrust.com>> wrote: Is it failing to find rtnetlink.h ? Have you installed linux-libc6-dev ? From: busybox mailto:busybox-boun...@

Re: [EXTERNAL] RE: AW: Re busybox tar hidden filename exploit

On 15 July 2024 16:39 David Laight wrote: > On 03 July 2024 01:29 'Michael Conrad' wrote: > > The underlying root problem here is the same as SQL injection or HTML > > cross-site scripting attacks. You have data, and you emit it in a > > context that is expecting a language/protocol > I'm sure s

Re: [PATCH 1/1] Stop tar printing unsafe archive lists to stdout

Is there anything more I need to do for this fix? --- On 09/07/2024, 09:27, "Ian Norton" mailto:ian.nor...@entrust.com>> wrote: Prevent unprintable bytes including terminal escapes being printed when listing tar file contents in a terminal as this can be used to hide malicious

Re: [PATCH 1/1] Stop tar printing unsafe archive lists to stdout ?

Hi all, I'm not really sure what to do now? My change works and is included as patches from my earlier messages but I've not seen it be merged or any questions/changes requested. Ian On 2024-07-30, 09:17, "Ian Norton" mailto:ian.nor...@entrust.com>> wrote: > >

[RESEND][PATCH] fix masking of malicious path traversals in archive content listings

Prevent unprintable bytes including terminal escapes being printed when listing tar file contents in a terminal as this can be used to hide malicious archive content from users prior to unpacking a file. Re #16018 Also added bb_safe_dump_str() to include/libbb.h --- archival/libarchive/header_lis

Re: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810)

FYI, This seems also related to https://bugs.busybox.net/show_bug.cgi?id=16018 (my patch for fixing that seems to have got lost in the mailing list noise) From: busybox on behalf of Peter Kaestle Date: Wednesday 2 October 2024 at 09:12 To: "busybox@busybox.net" , Denys Vlasenko Cc: "martin.

Re: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810)

allow path traversals (CVE-2023-39810) Will this patch be accepted? Or is it not suitable for busybox for some reason? Regards, Qi On 10/11/24 15: 54, Ian Norton wrote: FYI, This seems also related to https: //bugs. busybox. net/show_bug. cgi?id=16018 (my patch for fixing that seems to Will thi