CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Debian Bug report logs - #802702
CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Thu, 22 Oct 2015 21:03:06 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: busybox
Version: 1:1.22.0-15
Severity: important
Tags: security, upstream

It was discovered that busybox's tar implementation will extract a symlink that
points outside of the current working directory and follow that symlink when
extracting other files. This allows for a directory traversal attack when
extracting untrusted tarballs.

This behavior is documented in the source code:

  http://git.busybox.net/busybox/tree/archival/tar.c#n25

More information:

  https://bugs.busybox.net/8411
  http://openwall.com/lists/oss-security/2015/10/21/4

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJWKSTaAAoJECet96ROqnV0sVgQANaMEz84St56AgwKRyiEh4U1
v8B8yaoIyGJA5H0mAbQV6lfVk48ueh0TFNFx4sanBTuR+tD++ibZSREnyG3xfzSf
U0aqqFGzQONAMMVbsIEzrd0hz+rwZKwchZbjMmjsiPLyexVTK+FDddC+5BsZBhEI
lcyFJYepiR1xXpI7uk2qv1j2+GRwDW7kDIipGWbyZIzBJMHHrsq/9VARteMb27BP
RoXWgr8UcAJ6Gc/wfQQQpLhv4EXZOH0BOL7lF2kLYzu754HiFfwcuU9bULwQ2VPH
8vKxFfiPDmcTO2cDjdzs5ofeRG0PyIURFSBpZ3u1OdanmANp9KM8+Ud5NHWCMtkM
JXtlZZ+4uySoJEtS6GlDw9h90bhXn8ufyRf4UNdiJsx4iB7EoX1AZZjdoCTvuurb
HpzAUTVFIXv6hi3V/3OY2iyZau51vAe7QsQ7moI0felYZvOWL17efLyySSJUB+lr
lXuaAla7fsvO/Y529YqBg+8jx29h4pi0HPCWS+cllf7Avo8fhor9Y0u8Ni4pn4yq
ISzrZZTJGwzKC15wkXUkB4DyzU9TxJBcAJ0CQlLKENFpU+yrYJ2rX1FPsdZJ86CL
r3eWbKWMQpUrmy6GGVOByROaGoo5/PBzcFq+66xQ1utVtHEp/4dtEau+iqU+BTat
54769j9aMKxKOdqs3hnl
=Ft7+
-----END PGP SIGNATURE-----

Message #12 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 802702@bugs.debian.org

Subject: Re: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Thu, 05 Nov 2015 16:35:06 +0000

[Message part 1 (text/plain, inline)]

tags 802702 + patch
forwarded 802702 https://bugs.busybox.net/show_bug.cgi?id=8411#c2
thanks

Patch attached & sent upstream.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[busybox.diff.txt (text/plain, attachment)]

Message #21 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 802702@bugs.debian.org

Subject: Re: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Thu, 05 Nov 2015 16:46:43 +0000

[Message part 1 (text/plain, inline)]

Updated patch attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[busybox.diff.txt (text/plain, attachment)]

Message #26 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 802702@bugs.debian.org

Subject: Re: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Tue, 10 Nov 2015 16:51:56 +0000

tags 802702 - patch
forwarded 802702 https://bugs.busybox.net/8411
thanks

(Small issues with patch; see upstream tracker)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #37 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: Chris Lamb <lamby@debian.org>, Henri Salo <henri@nerv.fi>, 802702@bugs.debian.org

Subject: Re: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Wed, 29 Jun 2016 08:29:43 +0200

[Chris Lamb]
> (Small issues with patch; see upstream tracker)

Any idea why the resolution of this issue did not move any further?  I notice from
the upstream tracker that hardlinks might be a problem too.

-- 
Happy hacking
Petter Reinholdtsen

Message #42 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Petter Reinholdtsen <pere@hungry.com>, Henri Salo <henri@nerv.fi>, 802702@bugs.debian.org

Subject: Re: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Wed, 29 Jun 2016 08:30:39 +0100

> Any idea why the resolution of this issue did not move any further?  I notice from
> the upstream tracker that hardlinks might be a problem too.

Indeed, the hardlink part was blocking it.

IIRC it was deemed to be low-priority from an LTS point of view so/and I could not justify spending more time on it then. Happy to look again if there is a more urgent requirement.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #47 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: Chris Lamb <lamby@debian.org>, Henri Salo <henri@nerv.fi>, 802702@bugs.debian.org

Subject: Re: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Wed, 29 Jun 2016 10:39:25 +0200

[Chris Lamb]
> IIRC it was deemed to be low-priority from an LTS point of view so/and
> I could not justify spending more time on it then. Happy to look again
> if there is a more urgent requirement.

Right.  It is still unsolved in stable, testing, unstable and upstream,
and the second oldest open CVE on my stable laptop (the oldest is in
ruby, and pending a stable update), so I would like to see it fixed to
reduce the number of known security problems on my machine. :)

Can not say much about the priority or urgency related to other issues,
though. :)

I've poked upstream too, and hope some solution will materialise.

-- 
Happy hacking
Petter Reinholdtsen

Message #52 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Petter Reinholdtsen <pere@hungry.com>, 802702@bugs.debian.org, Chris Lamb <lamby@debian.org>, Henri Salo <henri@nerv.fi>

Subject: Re: Bug#802702: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Wed, 29 Jun 2016 14:51:05 +0200

[Message part 1 (text/plain, inline)]

On Wed, 2016-06-29 at 10:39 +0200, Petter Reinholdtsen wrote:
> [Chris Lamb]
> > IIRC it was deemed to be low-priority from an LTS point of view so/and
> > I could not justify spending more time on it then. Happy to look again
> > if there is a more urgent requirement.
> 
> Right.  It is still unsolved in stable, testing, unstable and upstream,
> and the second oldest open CVE on my stable laptop (the oldest is in
> ruby, and pending a stable update), so I would like to see it fixed to
> reduce the number of known security problems on my machine. :)
> 
> Can not say much about the priority or urgency related to other issues,
> though. :)
> 
> I've poked upstream too, and hope some solution will materialise.

This was fixed in GNU tar some years ago, and I was able to implement a
similar fix in p7zip (thought that was simpler because p7zip doesn't
support hard links).

busybox tar should do basically the same as GNU tar, though without
copying code since they are unfortunately not licence-compatible.

Ben.

-- 

Ben Hutchings
Make three consecutive correct guesses and you will be considered an
expert.

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Ben Hutchings <ben@decadent.org.uk>, Petter Reinholdtsen <pere@hungry.com>, 802702@bugs.debian.org, Henri Salo <henri@nerv.fi>

Subject: Re: Bug#802702: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Wed, 29 Jun 2016 13:57:58 +0100

> busybox tar should do basically the same as GNU tar

Indeed. The implementation wasn't quite as straightforward or as clean as fixing the symlinks case, hence why my patch on upstream's bugtracker only addresses that part.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #62 received at 802702@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: 802702@bugs.debian.org, Chris Lamb <lamby@debian.org>, Ben Hutchings <ben@decadent.org.uk>, Henri Salo <henri@nerv.fi>

Subject: Re: Bug#802702: CVE-2011-5325: busybox: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

Date: Fri, 30 Sep 2016 07:41:17 +0200

For the record, this issue is still flagged as unsolved upstream. :(
No activity in the bug tracker there since 2015 when Chris added the
last comment.
-- 
Happy hacking
Petter Reinholdtsen

Message #69 received at 802702-close@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <bootc@debian.org>

To: 802702-close@bugs.debian.org

Subject: Bug#802702: fixed in busybox 1:1.27.2-1

Date: Sun, 17 Sep 2017 17:19:07 +0000

Source: busybox
Source-Version: 1:1.27.2-1

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 802702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Boot <bootc@debian.org> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 17 Sep 2017 17:59:31 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source
Version: 1:1.27.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Chris Boot <bootc@debian.org>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 794526 802702 803097 812074 818497 818499 873472
Changes:
 busybox (1:1.27.2-1) unstable; urgency=medium
 .
   * New upstream release. This addresses:
     - Segmentation fault when creating compressed tar files. (Closes: #812074)
     - Pointer misuse unziping files. (Closes: #803097)
     - Buffer overflow in the DHCP client [CVE-2016-2148]. (Closes: #818497)
     - Integer overflow in the DHCP client [CVE-2016-2147]. (Closes: #818499)
   * Postpone creation of symlinks with "suspicious" targets [CVE-2011-5325].
     (Closes: #802702)
   * Re-enable the test suite during build. (Closes: #794526)
   * udhcpc: correct a typo in /etc/udhcpc/default.script. (Closes: #873472)
   * Debian packaging changes:
     - Run wrap-and-sort -st.
     - Update debian/control:
       - Replace Uploaders with myself and Christoph Biedl. Many thanks to
         Bastian Blank and Michael Tokarev for having maintained busybox for
         many years prior.
       - Remove Build-Depends to avoid ancient broken libc-dev-bin.
       - Bump Build-Depends on debhelper to >= 10.
     - Rewrite debian/rules:
       - Simplify and use the dh sequencer.
       - Remove test for ancient broken libc6 versions with static binaries.
       - Strip -O2 from CFLAGS, falling back to -Os from the busybox
         configuration.
       - Abort the build if 'make oldconfig' changes the configuration at all.
     - Update busybox build configuration files for the new upstream release.
       - The udeb configuration mostly hasn't changed, but enable fgrep,
         blkdiscard, bzcat and lsscsi.
       - The deb and static configurations have had upstream recommendations
         enabled for new options.
     - Switch to debhelper compatibility level 10.
     - Add Depends on lsb-base to busybox-syslogd and udhcpd.
     - Update debian/.gitignore.
     - Update Standards-Version to 4.0.1:
       - Disable tests that require networking.
Checksums-Sha1:
 4c7441a1204b61438f0eb2f272698fe372eede71 2359 busybox_1.27.2-1.dsc
 11669e223cc38de646ce26080e91ca29b8d42ad9 2216527 busybox_1.27.2.orig.tar.bz2
 25b8ec9d11fe9fcb8e2d79621a32b760c7d3c10f 49272 busybox_1.27.2-1.debian.tar.xz
 54cf758c6edeaf2bda34d6b8e08a44ba062b68cf 7236 busybox_1.27.2-1_amd64.buildinfo
Checksums-Sha256:
 67947957df59b7e145af1453c1a8cd28c3cd39d9d13cf1f2e7a12b8d073b4e81 2359 busybox_1.27.2-1.dsc
 9d4be516b61e6480f156b11eb42577a13529f75d3383850bb75c50c285de63df 2216527 busybox_1.27.2.orig.tar.bz2
 f2ed3f2e3dc63487efec85d65167e6a4fb31f6b300f1a45fd284de0d10405b8c 49272 busybox_1.27.2-1.debian.tar.xz
 38714b5eb9f437dd78eca0bc12379a651c71ddbf2c99eba3e40289d651244b77 7236 busybox_1.27.2-1_amd64.buildinfo
Files:
 300538e8de0e12d9bd8939b3330357c2 2359 utils optional busybox_1.27.2-1.dsc
 476186f4bab81781dab2369bfd42734e 2216527 utils optional busybox_1.27.2.orig.tar.bz2
 4176babb785eb5f2b3289c24343ef7e1 49272 utils optional busybox_1.27.2-1.debian.tar.xz
 87423bdbf689420d433ee08c59ccb3e2 7236 utils optional busybox_1.27.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE2oqQ9X/7HWR+QDTaQRpzPmfWT/4FAlm+rDdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldERB
OEE5MEY1N0ZGQjFENjQ3RTQwMzREQTQxMUE3MzNFNjdENjRGRkUACgkQQRpzPmfW
T/5ExRAA6rbhIacnoEgLN3g5YImMrlqz+Cyvc2+Y6Rw/bkKlXDQ62QEDuyN7ylPS
O51RquWR1nTcK1YLqYiFaqYs/XkaNvhCpuuKPwEbwosaUhg52OQFT+U18B3dfaHw
/xVOekqYrEEJGC4X1lqE3xv3KQH04UZcrhPBu2L2FnGnx/sTIuWcqJlWS3GTRDCZ
9qpSvYWzuvj5yM6SmRbqx+lWD5QI5cjvxQYcQpbIuDUaqF8owHP+wHGxcrrSok0P
1kCUUMvdRUJ4BzRiVhjE1G1j1zDvRqBDywAeAVq4Ch0weHE0nLqz5+JXAtEktyVA
bYVnN6H2mb2P+JzzeXlK66eFu1CYKtPuq5v/sTCNadXJ84w5NyBry/fqXJjBqqkL
gvN7/WpZ8bX8BRh/YE3fJ31nSpvLIeY5wqBuSs0Pfy+Ob/K3Kk1uJVMc0JB8FCTK
hA0JGpU7PULSqVIEWFN1SvOUQsczLQCqi9bgHLOacWV2BfCdZpvUEl/kJJTU9AFt
sAu0EEdITZu8m8DRru9GM1VFARsViDwkfBSJp/D/kvHThC7VwPjBOrlDrn6/Vw/9
NCcYp43mmKO4WA90tZnvo0gmu5L3CikFfAYJalkC2D6yIQ11XwWe4FI4qrnxluv8
AGZ1M6CfSjGeC2REqWVu3VqjnRk8/nbC6wqkiwac1JBYjn1CyOY=
=AQ2U
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.