[Bug 16252] New: Busybox tar:"multiple/repeated symbolic links" can attack host
bugzilla at busybox.net
bugzilla at busybox.net
Mon Nov 4 08:31:58 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16252
Bug ID: 16252
Summary: Busybox tar:"multiple/repeated symbolic links" can
attack host
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: 3161685274 at qq.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
For Busybox tar decompression tools, a new attack method of "multiple/repeated
symbolic links" is used to construct malicious package files and hijack system
commands when the victim decompresses the package.
Generally, user is not allowed to create files or soft links outside the
decompressed directory. However, by constructing multiple soft links with the
same name to take advantage of two extraction cycles, any soft link can be
created anywhere to any target file.
Soft links are processed here to mitigate this problem:
https://git.busybox.net/busybox/tree/archival/libarchive/get_header_tar.c
/* Everything up to and including last ".." component is stripped */
overlapping_strcpy(file_header->name,
strip_unsafe_prefix(file_header->name));
//TODO: do the same for file_header->link_target?
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list