From Qi.Chen at windriver.com Wed May 7 07:57:56 2025 From: Qi.Chen at windriver.com (ChenQi) Date: Wed, 7 May 2025 15:57:56 +0800 Subject: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810) In-Reply-To: <9DA0B81B-ADE8-4F36-ABF3-8E0D47973137@entrust.com> References: <20241002081205.2803537-1-peter.kaestle@nokia.com> <8510DCEB-E23E-452A-9616-61892984DD1B@entrust.com> <4f424141-c511-456f-93ef-9da1a4968eb1@windriver.com> <9DA0B81B-ADE8-4F36-ABF3-8E0D47973137@entrust.com> Message-ID: Kindly ping Is this an appropriate fix or do we need another solution? Regards, Qi On 3/31/25 17:39, Ian Norton wrote: > > I do not know. I never had any feedback from the maintainers.? #16018 > is I think just as much of a problem as CVE-2023-39810. > > In tar, you _/are/_ allowed to traverse outside the cwd (and use > absolute paths) But because #16018 can be used to mask the output from > `tar -t` it allows an attacker to defeat almost all manual or > shell-scripted inspection of the archive that would allow a user to > catch and prevent these traversals. > > *From: *busybox on behalf of ChenQi > > *Date: *Monday 31 March 2025 at 10:28 > *To: *"busybox at busybox.net" > *Subject: *Re: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path > traversals (CVE-2023-39810) > > Will this patch be accepted? Or is it not suitable for busybox for > some reason? Regards, Qi On 10/11/24 15:?54, Ian Norton wrote: FYI, > This seems also related to > https:?//bugs.?busybox.?net/show_bug.?cgi?id=16018 (my patch for > fixing that seems to > > Will this patch be accepted? Or is it not suitable for busybox for > some reason? > > Regards, > > Qi > > On 10/11/24 15:54, Ian Norton wrote: > > FYI, This seems also related to > https://bugs.busybox.net/show_bug.cgi?id=16018 > ? > (my patch for fixing that seems to have got lost in the mailing > list noise) > > *From: *busybox > on behalf of Peter Kaestle > > *Date: *Wednesday 2 October 2024 at 09:12 > *To: *"busybox at busybox.net" > , Denys Vlasenko > > *Cc: *"martin.schobert at pentagrid.ch" > > > , Peter Kaestle > , Samuel > Sapalski > > *Subject: *[EXTERNAL] [RESEND(4) PATCH] archival: disallow path > traversals (CVE-2023-39810) > > Create new configure option for archival/libarchive based > extractions to disallow path traversals. As this is a paranoid > option and might introduce backward incompatibiltiy, default it to > no. Fixes: CVE-2023-39810 Signed-off-by: Peter Kaestle > > Create new configure option for archival/libarchive based > extractions to > > disallow path traversals. > > As this is a paranoid option and might introduce backward > > incompatibiltiy, default it to no. > > Fixes: CVE-2023-39810 > > Signed-off-by: Peter Kaestle > > > Reviewed-by: Samuel Sapalski > > > --- > > archival/Config.src??????????????????? |? 7 +++++++ > > archival/libarchive/data_extract_all.c | 22 ++++++++++++++++++++++ > > testsuite/cpio.tests?????????????????? | 18 ++++++++++++++++++ > > 3 files changed, 47 insertions(+) > > diff --git a/archival/Config.src b/archival/Config.src > > index 6f4f30c43..ac9d3db95 100644 > > --- a/archival/Config.src > > +++ b/archival/Config.src > > @@ -35,4 +35,11 @@ config FEATURE_LZMA_FAST > > ????????????? This option reduces decompression time by about 25% > at the cost of > > ????????????? a 1K bigger binary. > > +config FEATURE_PATH_TRAVERSAL_PROTECTION > > +???????????? bool "enable path traversal protection" > > +???????????? default n > > +???????????? help > > +???????????? This option will disallow extraction of files > outside of the > > +???????????? destination directory. > > + > > endmenu > > diff --git a/archival/libarchive/data_extract_all.c > b/archival/libarchive/data_extract_all.c > > index 049c2c156..cb5d5c4ca 100644 > > --- a/archival/libarchive/data_extract_all.c > > +++ b/archival/libarchive/data_extract_all.c > > @@ -66,6 +66,28 @@ void FAST_FUNC > data_extract_all(archive_handle_t *archive_handle) > > ????????????? } > > #endif > > +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION > > +???????????? if (strstr(dst_name, "../")) { > > +??????????????????????????? char *resolved_dst_path, *cwd; > > + > > +??????????????????????????? cwd = getcwd(NULL, 0); > > + > > +??????????????????????????? resolved_dst_path = > xmalloc_realpath_coreutils(dst_name); > > +??????????????????????????? if (resolved_dst_path) { > > +??????????????????????????????????????????? if (strncmp(cwd, > resolved_dst_path, strlen(cwd))) { > > +?????????????????????????????????????????????????????????? errno > = 0; /* suppress missleading error prints */ > > +?????????????????????????????????????????????????????????? > free(resolved_dst_path); > > +?????????????????????????????????????????????????????????? > bb_perror_msg_and_die("path traversal detected: %s", > > +???????????????????????????????????????????????????????????????????????????????????????? > dst_name); > > +??????????????????????????????????????????? } > > +??????????????????????????????????????????? free(resolved_dst_path); > > +??????????????????????????? } else { > > +??????????????????????????????????????????? > bb_perror_msg_and_die("cannot allocate memory for real path: %s", > > +????????????????????????????????????????????????????????????????????????? > dst_name); > > +??????????????????????????? } > > +???????????? } > > +#endif > > + > > ????????????? if (archive_handle->ah_flags & > ARCHIVE_CREATE_LEADING_DIRS) { > > ????????????????????????????? char *slash = strrchr(dst_name, '/'); > > ????????????????????????????? if (slash) { > > diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests > > index 85e746589..1c0b75297 100755 > > --- a/testsuite/cpio.tests > > +++ b/testsuite/cpio.tests > > @@ -154,6 +154,24 @@ testing "cpio -R with extract" \ > > " "" "" > > SKIP= > > +optional FEATURE_PATH_TRAVERSAL_PROTECTION > > +rm -rf cpio.testdir > > +mkdir -p cpio.testdir/prepare/inner > > +echo "file outside of destination was written" > > cpio.testdir/prepare/dont_write > > +echo "data" > cpio.testdir/prepare/inner/to_extract > > +mkdir -p cpio.testdir/extract > > +testing "cpio extract file outside of destination" \ > > +"(cd cpio.testdir/prepare/inner && echo -e > '../dont_write\nto_extract' | cpio -H newc --create) | > > +(cd cpio.testdir/extract && cpio -vi 2>&1); > > +echo \$?; > > +ls cpio.testdir/dont_write 2>&1" \ > > +"\ > > +cpio: path traversal detected: ../dont_write > > +1 > > +ls: cpio.testdir/dont_write: No such file or directory > > +" "" "" > > +SKIP= > > + > > # Clean up > > rm -rf cpio.testdir cpio.testdir2 2>/dev/null > > -- > > 2.42.0 > > _______________________________________________ > > busybox mailing list > > busybox at busybox.net > > https://urldefense.com/v3/__http://lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$ > > > /Any email and files/attachments transmitted with it are intended > solely for the use of the individual or entity to whom they are > addressed. If this message has been sent to you in error, you must > not copy, distribute or disclose of the information it contains. > _Please notify Entrust immediately and delete the message from > your system._/ > > *Wellbeing Notice:* Receiving this email outside of normal working > hours? Managing work and life responsibilities is unique for > everyone. I have sent this email at a time that works for me. > Unless this email is specifically marked urgent, please respond at > a time that works for you. > > _______________________________________________ > > busybox mailing list > > busybox at busybox.net > > http://lists.busybox.net/mailman/listinfo/busybox > -------------- next part -------------- An HTML attachment was scrubbed... URL: From xoneca at gmail.com Tue May 13 09:33:28 2025 From: xoneca at gmail.com (Xabier Oneca -- xOneca) Date: Tue, 13 May 2025 11:33:28 +0200 Subject: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810) In-Reply-To: References: <20241002081205.2803537-1-peter.kaestle@nokia.com> <8510DCEB-E23E-452A-9616-61892984DD1B@entrust.com> <4f424141-c511-456f-93ef-9da1a4968eb1@windriver.com> <9DA0B81B-ADE8-4F36-ABF3-8E0D47973137@entrust.com> Message-ID: Hi Qi, FWIW, as he said in his response (https://lists.busybox.net/pipermail/busybox/2025-April/091436.html), Denys already commited something similar (https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3). Cheers, Xabier Oneca_,,_ From jan at faulty.computer Thu May 15 08:11:39 2025 From: jan at faulty.computer (Jan Fooken) Date: Thu, 15 May 2025 08:11:39 +0000 (UTC) Subject: [PATCH] df: allow 1024 byte blocks when POSIXLY_CORRECT Message-ID: <20250515074835.23127-2-jan@faulty.computer> Hi, while parsing the output of df I realised that the behaviour is a bit different compared to the behaviour described by POSIX, especially when it comes to handling the options -k and -P. The current and previous revisions of the POSIX standard POSIX.1-2017 and POSIX.1-2024 both allow for using 1024 byte based blocks, when the option -k is passed. This patch implements this functionality even when POSIXLY_CORRECT is set. Furthermore, it aligns the behaviour of the with the current df variant from GNU coreutils as of version 9.7. Regarding the -P behaviour: The POSIX spec states to use 512 byte blocks when it's passed and the current busybox version uses 1024 byte blocks except when POSIXLY_CORRECT is set. I think it would be a good idea to follow POSIX.1 a bit more closely and use 512 byte blocks when -P is passed and 1024 byte blocks when -Pk is passed regardless of the state of POSIXLY_CORRECT. What do you think? Kind regards Jan Fooken --- coreutils/df.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/coreutils/df.c b/coreutils/df.c index 03aa78148..015994efb 100644 --- a/coreutils/df.c +++ b/coreutils/df.c @@ -155,6 +155,9 @@ int df_main(int argc UNUSED_PARAM, char **argv) , &opt_t IF_FEATURE_DF_FANCY(, &chp) ); + if (opt & OPT_KILO) + df_disp_hr = 1024; + if (opt & OPT_MEGA) df_disp_hr = 1024*1024; -- 2.49.0