Debian Bug report logs -
#774669
cpio: CVE-2015-1197: directory traversal
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Mon, 05 Jan 2015 21:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Cherepanov <cherepan@mccme.ru>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Mon, 05 Jan 2015 21:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cpio
Version: 2.11+dfsg-0.1+deb7u1
Tags: security
cpio is susceptible to a directory traversal vulnerability. While
extracting an archive, it will extract symlinks and then follow them if
they are referenced in further entries. This can be exploited by a rogue
archive to write files outside the current directory.
Example:
1) create a sample archive:
ln -s /tmp dir
echo dir | cpio -oF test.cpio
rm dir
mkdir dir
echo hello > dir/file
echo dir/file | cpio -oAF test.cpio
rm -r dir
2) test it:
cpio --no-absolute-filenames -ivF test.cpio
This will create a symlink "dir" in the current directory and a file
"/tmp/file".
--
Alexander Cherepanov
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Wed, 07 Jan 2015 14:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Vasyl Kaigorodov <vkaigoro@redhat.com>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Wed, 07 Jan 2015 14:45:05 GMT) (full text, mbox, link).
Message #10 received at 774669@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Alexander,
My quick test shows that with the proper filesystem permissions no
harm could be done:
$ pwd
/home/vk/cpio
$ ls -lad /home/postgres/
drwx------ 4 postgres postgres 4096 May 21 2014 /home/postgres/
$ ln -s /home/postgres/.mozilla dir
...
$ cpio --no-absolute-filenames -ivF test.cpio
dir
cpio: dir/file: Cannot open: Permission denied
dir/file
1 block
Do you think this is a valid case for a CVE?
--
Vasyl Kaigorodov | Red Hat Product Security
PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Wed, 07 Jan 2015 23:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Cherepanov <cherepan@mccme.ru>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Wed, 07 Jan 2015 23:48:04 GMT) (full text, mbox, link).
Message #15 received at 774669@bugs.debian.org (full text, mbox, reply):
Hi!
--no-absolute-filenames option seems to be intended to limit extracting
contents of an archive to be strictly inside a current directory (it
guards against both absolute paths and relative paths with .. in them).
However it can be bypassed with symlinks. While extracting an archive,
it will extract symlinks and then follow them if they are referenced in
further entries. This can be exploited by a rogue archive to write files
outside the current directory.
For example, let's create a sample archive:
ln -s /tmp dir
touch /tmp/file
echo 'dir
dir/file' | cpio -ov > test.cpio
rm dir /tmp/file
and then test it:
cpio --no-absolute-filenames -iv < test.cpio
This will create a symlink "dir" in the current directory and a file
"/tmp/file" by following this symlink.
BTW why --no-absolute-filenames is not default? In contrast with tar
which is secure by default.
--
Alexander Cherepanov
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Thu, 08 Jan 2015 00:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Cherepanov <cherepan@mccme.ru>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 08 Jan 2015 00:09:08 GMT) (full text, mbox, link).
Message #20 received at 774669@bugs.debian.org (full text, mbox, reply):
Hi Vasyl,
On Wed, 7 Jan 2015 15:43:54 +0100 Vasyl Kaigorodov <vkaigoro@redhat.com>
wrote:
> My quick test shows that with the proper filesystem permissions no
> harm could be done:
>
> $ pwd
> /home/vk/cpio
> $ ls -lad /home/postgres/
> drwx------ 4 postgres postgres 4096 May 21 2014 /home/postgres/
> $ ln -s /home/postgres/.mozilla dir
> ...
> $ cpio --no-absolute-filenames -ivF test.cpio
> dir
> cpio: dir/file: Cannot open: Permission denied
> dir/file
> 1 block
The problem is not that you can bypass filesystem permissions with cpio.
cpio is not setuid or special in any other way. Hence filesystem
permissions protect from it just fine.
The problem is with unpacking untrusted archives (downloaded from the
Web, received by email etc.). If unpacker doesn't protect from directory
traversals extracting contents of a malicious archive could lead to
overwriting sensitive files such as /home/vkaigoro/.ssh/authorized_keys,
i.e. your own files, strictly within filesystem permissions.
> Do you think this is a valid case for a CVE?
Yes.
--
Alexander Cherepanov
Marked as found in versions cpio/2.11+dfsg-0.1.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Thu, 08 Jan 2015 00:45:08 GMT) (full text, mbox, link).
No longer marked as found in versions cpio/2.11+dfsg-0.1+deb7u1.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Thu, 08 Jan 2015 00:45:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Sun, 18 Jan 2015 20:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Sun, 18 Jan 2015 20:42:04 GMT) (full text, mbox, link).
Message #29 received at 774669@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 cpio: CVE-2015-1197: directory traversal
Hi,
This issue has been assigned CVE-2015-1197 by MITRE.
Regards,
Salvatore
Changed Bug title to 'cpio: CVE-2015-1197: directory traversal' from 'Directory traversal through symlinks'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 774669-submit@bugs.debian.org.
(Sun, 18 Jan 2015 20:42:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Mon, 02 Feb 2015 18:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Mon, 02 Feb 2015 18:15:09 GMT) (full text, mbox, link).
Message #38 received at 774669@bugs.debian.org (full text, mbox, reply):
Hi,
Additional reference: SUSE used the patch attached to
https://marc.info/?l=oss-security&m=142289947619786&w=2
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Sat, 21 Feb 2015 13:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Sat, 21 Feb 2015 13:24:04 GMT) (full text, mbox, link).
Message #43 received at 774669@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 02, 2015 at 07:12:03PM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> Additional reference: SUSE used the patch attached to
> https://marc.info/?l=oss-security&m=142289947619786&w=2
Anibal, can you please upload a fixed package?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#774669; Package cpio.
(Thu, 05 Mar 2015 18:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 05 Mar 2015 18:15:08 GMT) (full text, mbox, link).
Message #48 received at 774669@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 774669 + patch
Control: tags 774669 + pending
Anibal,
I've prepared an NMU for cpio (versioned as 2.11+dfsg-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Cheers,
Moritz
[cpio-2.11+dfsg-4.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Moritz Mühlenhoff <jmm@inutil.org>
to 774669-submit@bugs.debian.org.
(Thu, 05 Mar 2015 18:15:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Moritz Mühlenhoff <jmm@inutil.org>
to 774669-submit@bugs.debian.org.
(Thu, 05 Mar 2015 18:15:09 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility.
(Sat, 07 Mar 2015 18:36:06 GMT) (full text, mbox, link).
Notification sent
to Alexander Cherepanov <cherepan@mccme.ru>:
Bug acknowledged by developer.
(Sat, 07 Mar 2015 18:36:06 GMT) (full text, mbox, link).
Message #57 received at 774669-close@bugs.debian.org (full text, mbox, reply):
Source: cpio
Source-Version: 2.11+dfsg-4.1
We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated cpio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 05 Mar 2015 11:44:25 +0100
Source: cpio
Binary: cpio cpio-win32
Architecture: source all amd64
Version: 2.11+dfsg-4.1
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
cpio - GNU cpio -- a program to manage archives of files
cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 774669
Changes:
cpio (2.11+dfsg-4.1) unstable; urgency=medium
.
* Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
Upstream is dormant or no longer existing. To restore the old
behaviour use --extract-over-symlinks (Closes: #774669)
This issue has been discovered by Alexander Cherepanov.
Checksums-Sha1:
b527b273defef077630777c06d25bb1c9b8c8f4d 1849 cpio_2.11+dfsg-4.1.dsc
6c0dd7b033bc9f4e22918ff329558572f8c30a58 19076 cpio_2.11+dfsg-4.1.debian.tar.xz
948decc4171afb2878689f44321fefc4d6a40b83 59652 cpio-win32_2.11+dfsg-4.1_all.deb
e8f80f6d1398c74c24370dd62a6cd0790380509e 176328 cpio_2.11+dfsg-4.1_amd64.deb
Checksums-Sha256:
7b50bd8b97c4485518bd4439e9ccdc04776c6875700274cfd31673a7a3d75347 1849 cpio_2.11+dfsg-4.1.dsc
12018c408e4b42c437b11cf77828d8ecfb381c6862349567abc26a1da165dd54 19076 cpio_2.11+dfsg-4.1.debian.tar.xz
b4b09cad9df06d8b4783d8d44f335e68cc4ff9a5898ace42e7f9986d119f9bbf 59652 cpio-win32_2.11+dfsg-4.1_all.deb
bb711cb6818d14cd5e140eaec6f2ab9cfb2d6d63fa3bcd9a95eba4e0fb92522d 176328 cpio_2.11+dfsg-4.1_amd64.deb
Files:
7c649f4a8a4502b2f57484bf3bd70d2e 1849 utils important cpio_2.11+dfsg-4.1.dsc
04a8fe34d792c08d590e2ff03199be87 19076 utils important cpio_2.11+dfsg-4.1.debian.tar.xz
5575bbe4447c3c0bae8553e072445602 59652 utils extra cpio-win32_2.11+dfsg-4.1_all.deb
909a9f456884acfec7349c64ac0168c2 176328 utils important cpio_2.11+dfsg-4.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJU+D7bAAoJEBDCk7bDfE42kPUP/1d2eYvb0KOO4Xvn9eAhJjeo
+RNlrgtCNG+jCU3RuDZoUtbbkmeitabhiD5IU1+Pgm7luA0jLSsBH4tdOmsYWJNM
GptBzRxO6VHK45rhQNqO1EqYEj7TzdZO4t0VmoM/lF6+fNQt1OHLG/fzAkpbJ0Yv
sWcyJ5JlYPXaqXQUiHr+Fu0+csf3BTYw2Xp4e06KTmoL+Mn1VXuWTMgMfiMMb/Wy
q5FSe3TVeZJXTHfnNHHgls0YUiwEry5suaLODKBCwDqb2bR19uEQXk5Yi/lU6QyF
WWMRCAA9PAT1HSSpFOVVZneLaq3R/uEDxx8m3FH0gt4eOrPYgYw4LHIwCIxeve8w
13UQUNEbzwoPeqOpDPQfeIwluxWptDlVoSJ6RNxAs2Os/oQVBBWYMQ1+3a5bWyEj
5S/hYTHwlK6BOSxwQai6WLgSB9WEqLRK56PcCvYstlF52v1tHmPi9nBoAca3WTHL
RcUCfi6E1zRf/M7B7dJRUwqWOx5kETDeONEq5mUNE5XpFsSNrZApeH+tXivDrq4H
+rKtdwpykQ8dHZWB+xoUyYFQHOBkBUZJmlSAfQk9GFjYBptZRSjrdKxfsHcl/jt6
1cUm4EYvvqo/G5suFtS/aAC4nmZjlcVoQj1ILvWcvXFtShYiU2EOqjWGYGjIRgiJ
jh6k9My6YnuqvVB+oL/7
=xcnc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Apr 2015 07:27:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:20:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon