[EXTERNAL] [RESEND(4) PATCH] archival: disallow path traversals (CVE-2023-39810)
ChenQi
Qi.Chen at windriver.com
Wed May 7 07:57:56 UTC 2025
Kindly ping
Is this an appropriate fix or do we need another solution?
Regards,
Qi
On 3/31/25 17:39, Ian Norton wrote:
>
> I do not know. I never had any feedback from the maintainers. #16018
> is I think just as much of a problem as CVE-2023-39810.
>
> In tar, you _/are/_ allowed to traverse outside the cwd (and use
> absolute paths) But because #16018 can be used to mask the output from
> `tar -t` it allows an attacker to defeat almost all manual or
> shell-scripted inspection of the archive that would allow a user to
> catch and prevent these traversals.
>
> *From: *busybox <busybox-bounces at busybox.net> on behalf of ChenQi
> <Qi.Chen at windriver.com>
> *Date: *Monday 31 March 2025 at 10:28
> *To: *"busybox at busybox.net" <busybox at busybox.net>
> *Subject: *Re: [EXTERNAL] [RESEND(4) PATCH] archival: disallow path
> traversals (CVE-2023-39810)
>
> Will this patch be accepted? Or is it not suitable for busybox for
> some reason? Regards, Qi On 10/11/24 15: 54, Ian Norton wrote: FYI,
> This seems also related to
> https: //bugs. busybox. net/show_bug. cgi?id=16018 (my patch for
> fixing that seems to
>
> Will this patch be accepted? Or is it not suitable for busybox for
> some reason?
>
> Regards,
>
> Qi
>
> On 10/11/24 15:54, Ian Norton wrote:
>
> FYI, This seems also related to
> https://bugs.busybox.net/show_bug.cgi?id=16018
> <https://urldefense.com/v3/__https:/bugs.busybox.net/show_bug.cgi?id=16018__;!!AjveYdw8EvQ!f2UldcBUR334vfilzk9XSPVuUXlapWJg7SodH-cf9DaT0SZ37H_k2jSBAcD-h-Rbs1pbL8jmmsnlLyoPStBJcA$>
> (my patch for fixing that seems to have got lost in the mailing
> list noise)
>
> *From: *busybox <busybox-bounces at busybox.net>
> <mailto:busybox-bounces at busybox.net> on behalf of Peter Kaestle
> <peter.kaestle at nokia.com> <mailto:peter.kaestle at nokia.com>
> *Date: *Wednesday 2 October 2024 at 09:12
> *To: *"busybox at busybox.net" <mailto:busybox at busybox.net>
> <busybox at busybox.net> <mailto:busybox at busybox.net>, Denys Vlasenko
> <vda.linux at googlemail.com> <mailto:vda.linux at googlemail.com>
> *Cc: *"martin.schobert at pentagrid.ch"
> <mailto:martin.schobert at pentagrid.ch>
> <martin.schobert at pentagrid.ch>
> <mailto:martin.schobert at pentagrid.ch>, Peter Kaestle
> <peter.kaestle at nokia.com> <mailto:peter.kaestle at nokia.com>, Samuel
> Sapalski <samuel.sapalski at nokia.com>
> <mailto:samuel.sapalski at nokia.com>
> *Subject: *[EXTERNAL] [RESEND(4) PATCH] archival: disallow path
> traversals (CVE-2023-39810)
>
> Create new configure option for archival/libarchive based
> extractions to disallow path traversals. As this is a paranoid
> option and might introduce backward incompatibiltiy, default it to
> no. Fixes: CVE-2023-39810 Signed-off-by: Peter Kaestle
>
> Create new configure option for archival/libarchive based
> extractions to
>
> disallow path traversals.
>
> As this is a paranoid option and might introduce backward
>
> incompatibiltiy, default it to no.
>
> Fixes: CVE-2023-39810
>
> Signed-off-by: Peter Kaestle <peter.kaestle at nokia.com>
> <mailto:peter.kaestle at nokia.com>
>
> Reviewed-by: Samuel Sapalski <samuel.sapalski at nokia.com>
> <mailto:samuel.sapalski at nokia.com>
>
> ---
>
> archival/Config.src | 7 +++++++
>
> archival/libarchive/data_extract_all.c | 22 ++++++++++++++++++++++
>
> testsuite/cpio.tests | 18 ++++++++++++++++++
>
> 3 files changed, 47 insertions(+)
>
> diff --git a/archival/Config.src b/archival/Config.src
>
> index 6f4f30c43..ac9d3db95 100644
>
> --- a/archival/Config.src
>
> +++ b/archival/Config.src
>
> @@ -35,4 +35,11 @@ config FEATURE_LZMA_FAST
>
> This option reduces decompression time by about 25%
> at the cost of
>
> a 1K bigger binary.
>
> +config FEATURE_PATH_TRAVERSAL_PROTECTION
>
> + bool "enable path traversal protection"
>
> + default n
>
> + help
>
> + This option will disallow extraction of files
> outside of the
>
> + destination directory.
>
> +
>
> endmenu
>
> diff --git a/archival/libarchive/data_extract_all.c
> b/archival/libarchive/data_extract_all.c
>
> index 049c2c156..cb5d5c4ca 100644
>
> --- a/archival/libarchive/data_extract_all.c
>
> +++ b/archival/libarchive/data_extract_all.c
>
> @@ -66,6 +66,28 @@ void FAST_FUNC
> data_extract_all(archive_handle_t *archive_handle)
>
> }
>
> #endif
>
> +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
>
> + if (strstr(dst_name, "../")) {
>
> + char *resolved_dst_path, *cwd;
>
> +
>
> + cwd = getcwd(NULL, 0);
>
> +
>
> + resolved_dst_path =
> xmalloc_realpath_coreutils(dst_name);
>
> + if (resolved_dst_path) {
>
> + if (strncmp(cwd,
> resolved_dst_path, strlen(cwd))) {
>
> + errno
> = 0; /* suppress missleading error prints */
>
> +
> free(resolved_dst_path);
>
> +
> bb_perror_msg_and_die("path traversal detected: %s",
>
> +
> dst_name);
>
> + }
>
> + free(resolved_dst_path);
>
> + } else {
>
> +
> bb_perror_msg_and_die("cannot allocate memory for real path: %s",
>
> +
> dst_name);
>
> + }
>
> + }
>
> +#endif
>
> +
>
> if (archive_handle->ah_flags &
> ARCHIVE_CREATE_LEADING_DIRS) {
>
> char *slash = strrchr(dst_name, '/');
>
> if (slash) {
>
> diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
>
> index 85e746589..1c0b75297 100755
>
> --- a/testsuite/cpio.tests
>
> +++ b/testsuite/cpio.tests
>
> @@ -154,6 +154,24 @@ testing "cpio -R with extract" \
>
> " "" ""
>
> SKIP=
>
> +optional FEATURE_PATH_TRAVERSAL_PROTECTION
>
> +rm -rf cpio.testdir
>
> +mkdir -p cpio.testdir/prepare/inner
>
> +echo "file outside of destination was written" >
> cpio.testdir/prepare/dont_write
>
> +echo "data" > cpio.testdir/prepare/inner/to_extract
>
> +mkdir -p cpio.testdir/extract
>
> +testing "cpio extract file outside of destination" \
>
> +"(cd cpio.testdir/prepare/inner && echo -e
> '../dont_write\nto_extract' | cpio -H newc --create) |
>
> +(cd cpio.testdir/extract && cpio -vi 2>&1);
>
> +echo \$?;
>
> +ls cpio.testdir/dont_write 2>&1" \
>
> +"\
>
> +cpio: path traversal detected: ../dont_write
>
> +1
>
> +ls: cpio.testdir/dont_write: No such file or directory
>
> +" "" ""
>
> +SKIP=
>
> +
>
> # Clean up
>
> rm -rf cpio.testdir cpio.testdir2 2>/dev/null
>
> --
>
> 2.42.0
>
> _______________________________________________
>
> busybox mailing list
>
> busybox at busybox.net
>
> https://urldefense.com/v3/__http://lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$
> <https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!dv3Uoeo_xECehdxW2TOtpmp-ONDwsssh0Tl72I5vnwfii2WIcR71lUIMVSJb44L4bKG4Eg6HpK5s3-Bv4ph0xWY$>
>
> /Any email and files/attachments transmitted with it are intended
> solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must
> not copy, distribute or disclose of the information it contains.
> _Please notify Entrust immediately and delete the message from
> your system._/
>
> *Wellbeing Notice:* Receiving this email outside of normal working
> hours? Managing work and life responsibilities is unique for
> everyone. I have sent this email at a time that works for me.
> Unless this email is specifically marked urgent, please respond at
> a time that works for you.
>
> _______________________________________________
>
> busybox mailing list
>
> busybox at busybox.net
>
> http://lists.busybox.net/mailman/listinfo/busybox <https://urldefense.com/v3/__http:/lists.busybox.net/mailman/listinfo/busybox__;!!FJ-Y8qCqXTj2!ePxy5t3w8ijW7UUQKoaZQB55OpWfQjSKR-fygaigoohDaqXfViZl03eRRN7l8JMNexUBWExElCVgB72ExkA$>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20250507/7ce565ff/attachment-0001.htm>
More information about the busybox
mailing list