| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From 59357157706d47c365b2227739e17daba3607526 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alessandro Ghedini <alessandro@ghedini.me> |
| 3 | Date: Sun, 1 Mar 2015 12:07:45 +0100 |
| 4 | Subject: [PATCH] Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option |
| 5 | |
| 6 | This fixes a directory traversal in the cpio tool. |
| 7 | |
| 8 | |
| 9 | Upstream-Status: backport |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 10 | CVE: CVE-2015-2304 |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 11 | |
| 12 | Signed-off-by: Li Zhou <li.zhou@windriver.com> |
| 13 | --- |
| 14 | cpio/bsdcpio.1 | 3 ++- |
| 15 | cpio/cpio.c | 2 ++ |
| 16 | libarchive/archive.h | 2 ++ |
| 17 | libarchive/archive_write_disk.3 | 3 +++ |
| 18 | libarchive/archive_write_disk_posix.c | 14 +++++++++++--- |
| 19 | libarchive/test/test_write_disk_secure.c | 23 +++++++++++++++++++++++ |
| 20 | 6 files changed, 43 insertions(+), 4 deletions(-) |
| 21 | |
| 22 | diff --git a/cpio/bsdcpio.1 b/cpio/bsdcpio.1 |
| 23 | index f966aa0..e52546e 100644 |
| 24 | --- a/cpio/bsdcpio.1 |
| 25 | +++ b/cpio/bsdcpio.1 |
| 26 | @@ -156,7 +156,8 @@ See above for description. |
| 27 | .It Fl Fl insecure |
| 28 | (i and p mode only) |
| 29 | Disable security checks during extraction or copying. |
| 30 | -This allows extraction via symbolic links and path names containing |
| 31 | +This allows extraction via symbolic links, absolute paths, |
| 32 | +and path names containing |
| 33 | .Sq .. |
| 34 | in the name. |
| 35 | .It Fl J , Fl Fl xz |
| 36 | diff --git a/cpio/cpio.c b/cpio/cpio.c |
| 37 | index 0acde11..b267e9b 100644 |
| 38 | --- a/cpio/cpio.c |
| 39 | +++ b/cpio/cpio.c |
| 40 | @@ -171,6 +171,7 @@ main(int argc, char *argv[]) |
| 41 | cpio->extract_flags |= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER; |
| 42 | cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_SYMLINKS; |
| 43 | cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; |
| 44 | + cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; |
| 45 | cpio->extract_flags |= ARCHIVE_EXTRACT_PERM; |
| 46 | cpio->extract_flags |= ARCHIVE_EXTRACT_FFLAGS; |
| 47 | cpio->extract_flags |= ARCHIVE_EXTRACT_ACL; |
| 48 | @@ -256,6 +257,7 @@ main(int argc, char *argv[]) |
| 49 | case OPTION_INSECURE: |
| 50 | cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS; |
| 51 | cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT; |
| 52 | + cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; |
| 53 | break; |
| 54 | case 'L': /* GNU cpio */ |
| 55 | cpio->option_follow_links = 1; |
| 56 | diff --git a/libarchive/archive.h b/libarchive/archive.h |
| 57 | index 1f0fc38..ef635ac 100644 |
| 58 | --- a/libarchive/archive.h |
| 59 | +++ b/libarchive/archive.h |
| 60 | @@ -649,6 +649,8 @@ __LA_DECL int archive_read_set_passphrase_callback(struct archive *, |
| 61 | /* Default: Do not use HFS+ compression if it was not compressed. */ |
| 62 | /* This has no effect except on Mac OS v10.6 or later. */ |
| 63 | #define ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED (0x8000) |
| 64 | +/* Default: Do not reject entries with absolute paths */ |
| 65 | +#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000) |
| 66 | |
| 67 | __LA_DECL int archive_read_extract(struct archive *, struct archive_entry *, |
| 68 | int flags); |
| 69 | diff --git a/libarchive/archive_write_disk.3 b/libarchive/archive_write_disk.3 |
| 70 | index fa925cc..a2e7afa 100644 |
| 71 | --- a/libarchive/archive_write_disk.3 |
| 72 | +++ b/libarchive/archive_write_disk.3 |
| 73 | @@ -177,6 +177,9 @@ The default is to not refuse such paths. |
| 74 | Note that paths ending in |
| 75 | .Pa .. |
| 76 | always cause an error, regardless of this flag. |
| 77 | +.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS |
| 78 | +Refuse to extract an absolute path. |
| 79 | +The default is to not refuse such paths. |
| 80 | .It Cm ARCHIVE_EXTRACT_SPARSE |
| 81 | Scan data for blocks of NUL bytes and try to recreate them with holes. |
| 82 | This results in sparse files, independent of whether the archive format |
| 83 | diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c |
| 84 | index ab3bdac..c1290eb 100644 |
| 85 | --- a/libarchive/archive_write_disk_posix.c |
| 86 | +++ b/libarchive/archive_write_disk_posix.c |
| 87 | @@ -2509,8 +2509,9 @@ cleanup_pathname_win(struct archive_write_disk *a) |
| 88 | /* |
| 89 | * Canonicalize the pathname. In particular, this strips duplicate |
| 90 | * '/' characters, '.' elements, and trailing '/'. It also raises an |
| 91 | - * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is |
| 92 | - * set) any '..' in the path. |
| 93 | + * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is |
| 94 | + * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS |
| 95 | + * is set) if the path is absolute. |
| 96 | */ |
| 97 | static int |
| 98 | cleanup_pathname(struct archive_write_disk *a) |
| 99 | @@ -2529,8 +2530,15 @@ cleanup_pathname(struct archive_write_disk *a) |
| 100 | cleanup_pathname_win(a); |
| 101 | #endif |
| 102 | /* Skip leading '/'. */ |
| 103 | - if (*src == '/') |
| 104 | + if (*src == '/') { |
| 105 | + if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { |
| 106 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, |
| 107 | + "Path is absolute"); |
| 108 | + return (ARCHIVE_FAILED); |
| 109 | + } |
| 110 | + |
| 111 | separator = *src++; |
| 112 | + } |
| 113 | |
| 114 | /* Scan the pathname one element at a time. */ |
| 115 | for (;;) { |
| 116 | diff --git a/libarchive/test/test_write_disk_secure.c b/libarchive/test/test_write_disk_secure.c |
| 117 | index 31c5bfd..2c94206 100644 |
| 118 | --- a/libarchive/test/test_write_disk_secure.c |
| 119 | +++ b/libarchive/test/test_write_disk_secure.c |
| 120 | @@ -178,6 +178,29 @@ DEFINE_TEST(test_write_disk_secure) |
| 121 | assert(S_ISDIR(st.st_mode)); |
| 122 | archive_entry_free(ae); |
| 123 | |
| 124 | + /* |
| 125 | + * Without security checks, we should be able to |
| 126 | + * extract an absolute path. |
| 127 | + */ |
| 128 | + assert((ae = archive_entry_new()) != NULL); |
| 129 | + archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); |
| 130 | + archive_entry_set_mode(ae, S_IFREG | 0777); |
| 131 | + assert(0 == archive_write_header(a, ae)); |
| 132 | + assert(0 == archive_write_finish_entry(a)); |
| 133 | + assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); |
| 134 | + assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp")); |
| 135 | + |
| 136 | + /* But with security checks enabled, this should fail. */ |
| 137 | + assert(archive_entry_clear(ae) != NULL); |
| 138 | + archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); |
| 139 | + archive_entry_set_mode(ae, S_IFREG | 0777); |
| 140 | + archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS); |
| 141 | + failure("Extracting an absolute path should fail here."); |
| 142 | + assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae)); |
| 143 | + archive_entry_free(ae); |
| 144 | + assert(0 == archive_write_finish_entry(a)); |
| 145 | + assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); |
| 146 | + |
| 147 | assertEqualInt(ARCHIVE_OK, archive_write_free(a)); |
| 148 | |
| 149 | /* Test the entries on disk. */ |
| 150 | -- |
| 151 | 1.7.9.5 |
| 152 | |