Hi Vasyl,
On Wed, 7 Jan 2015 15:43:54 +0100 Vasyl Kaigorodov <vkaig...@redhat.com>
wrote:
My quick test shows that with the proper filesystem permissions no
harm could be done:
$ pwd
/home/vk/cpio
$ ls -lad /home/postgres/
drwx------ 4 postgres postgres 4096 May 21 2014 /home/postgres/
$ ln -s /home/postgres/.mozilla dir
...
$ cpio --no-absolute-filenames -ivF test.cpio
dir
cpio: dir/file: Cannot open: Permission denied
dir/file
1 block
The problem is not that you can bypass filesystem permissions with cpio.
cpio is not setuid or special in any other way. Hence filesystem
permissions protect from it just fine.
The problem is with unpacking untrusted archives (downloaded from the
Web, received by email etc.). If unpacker doesn't protect from directory
traversals extracting contents of a malicious archive could lead to
overwriting sensitive files such as /home/vkaigoro/.ssh/authorized_keys,
i.e. your own files, strictly within filesystem permissions.
Do you think this is a valid case for a CVE?
Yes.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
