CLD-252 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-7516 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) cpio
Deficiency Type SECURITY
Date Created 2018-01-29 17:17:09
Date Last Modified 2018-01-29 17:35:46

Version Specific Information:

Cucumber 1.0 i686fixed in cpio-2.12-i686-2
Cucumber 1.0 x86_64fixed in cpio-2.12-x86_64-2

Cucumber 1.1 i686 fixed in cpio-2.12-i686-2
Cucumber 1.1 x86_64 fixed in cpio-2.12-x86_64-2

Details:

=================================== Overview ===================================

It was found that the cpio --no-absolute-filenames option since version 2.7 did
not verify paths during extraction. A specially crafted cpio archive could
bypass this option and write to an arbitrary location, outside of the
extraction directory. 

================================ Initial Report ================================

From https://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html:

Hi,

Looking at cpio, i found what seems to be a way to bypass the
--no-absolute-filenames option, which supposedly prevents data to be written
outside of the current folder.

One just need to create a cpio archive that contains a symlink to the required
destination, then a file that appears to be from inside the symlink (this
requires a specially crafted cpio archive) :

1) there is no file called /tmp/blah
address@hidden testings]$ ll
total 4
-rw-rw-r--. 1 cedric cedric 384 Jun  4 22:34 link.cpio
address@hidden testings]$ ll /tmp/blah
ls: cannot access '/tmp/blah': No such file or directory

2) I extract the specially crafted cpio
address@hidden testings]$ cpio -idv --no-absolute-filenames < link.cpio
link
link/blah
1 block

3) there is a file /tmp/blah
address@hidden testings]$ ll
total 4
lrwxrwxrwx. 1 cedric cedric   5 Jun  4 22:21 link -> /tmp/
-rw-rw-r--. 1 cedric cedric 384 Jun  4 22:15 link.cpio
address@hidden testings]$ ll /tmp/blah
-rw-rw-r--. 1 cedric cedric 3 Jun  4 22:21 /tmp/blah

The very naive patch attached makes use of safer_name_suffix() to sanitize
symlink's value.

Thanks!

-- 
Cedric Buissart,
Product Security

================================= Our Analysis =================================

----- Affected Products -----
All versions of cpio since 2.7 that have not had the patch from
https://lists.gnu.org/archive/html/bug-cpio/2017-06/txt8lVereD0rk.txt applied
are vulnerable to this vulnerability. This includes cpio as originally packaged
in Cucumber Linux.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows an attacker to overwrite an arbitrary file on the
target user's filesystem when the target user extracts a specially crafted cpio
archive.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://lists.gnu.org/archive/html/bug-cpio/2017-06/txt8lVereD0rk.txt.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.