[Bug 206386] vendor/libarchive: directory traversal vulnerability/local denial of services

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jan 18 23:57:27 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206386

            Bug ID: 206386
           Summary: vendor/libarchive: directory traversal
                    vulnerability/local denial of services
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: junovitch at freebsd.org
                CC: secteam at FreeBSD.org
             Flags: mfc-stable9?, mfc-stable10?

Created attachment 165785
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165785&action=edit
vendor/libarchive/dist: Apply CVE-2015-2304 patch

Affects:  All supported versions of FreeBSD
CVE Name: CVE-2015-2304

Problem Description:
Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and
earlier allows remote attackers to write to arbitrary files via a full pathname
in an archive. 

Impact:
The issue could be exploited to write arbitrary files as the user invoking cpio
against a specially crafted cpio archive, which would be leveraged to obtain
elevated privileges.

Workaround
No workaround is available, but systems where a privileged user does not
make use of cpio archives without proper validation are not affected.

References:
- https://github.com/libarchive/libarchive/pull/110
- https://github.com/libarchive/libarchive/commit/5935715
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304



COMMIT LOG FOR ATTACHED PATCH:

Apply upstream changeset 5935715:

Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option

This fixes a directory traversal in the cpio tool.

PR: XXXXXX
Security: CVE-2015-2304


Note: I would be more then glad to commit the patch with an 'Approved by' for
src and MFV from head/contrib/libarchive with svn merge -c rXXXXXX
^/vendor/libarchive/dist .

EXAMPLE BEFORE:
##### Generate something for the Proof of concept
# echo '*/1 * * * * echo "Do something evil" > /etc/evil.txt' >
/var/cron/tabs/root
##### Package it up
# echo '/var/cron/tabs/root' | cpio -ov > test.cpio                             
##### Clean up
# rm /var/cron/tabs/root
##### Show it's not there yet
# cat /etc/evil.txt
cat: /etc/evil.txt: No such file or directory
##### Unpackage our "trojaned" file
# cpio -iv < test.cpio 
/var/cron/tabs/root
1 block
##### Show it's in place
# cat /var/cron/tabs/root
*/1 * * * * echo "Do something evil" > /etc/evil.txt
##### Since this didn't update spool dir mtime, be impatient and restart cron
to see the impact
# service cron restart
# cat /etc/evil.txt
Do something evil

EXAMPLE AFTER:
##### Unpackage our "trojaned" file
# /usr/local/bin/bsdcpio -iv < test.cpio                                        
/var/cron/tabs/root
/var/cron/tabs/root: Path is absolute
1 block
##### Show it's in place
# cat /var/cron/tabs/root
cat: /var/cron/tabs/root: No such file or directory

Note, /usr/local/bin/bsdcpio is the patched variant I just committed with the
same patch in ports (https://svnweb.FreeBSD.org/changeset/ports/406624).

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list