Debian Bug report logs - #305372
TOCTOU file-permissions vulnerability (CAN-2005-1111)

version graph

Package: cpio; Maintainer for cpio is Anibal Monsalve Salazar <anibal@debian.org>; Source for cpio is src:cpio.

Reported by: Joey Hess <joeyh@debian.org>

Date: Tue, 19 Apr 2005 17:33:07 UTC

Severity: normal

Tags: patch, security

Found in version 2.5-1.2

Fixed in version cpio/2.6-6

Done: Clint Adams <schizo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brian Mays <brian@debian.org>:
Bug#305372; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: TOCTOU file-permissions vulnerability (CAN-2005-1111)
Date: Tue, 19 Apr 2005 13:21:29 -0400
[Message part 1 (text/plain, inline)]
Package: cpio
Version: 2.5-1.2
Severity: normal
Tags: security

According to the advisory at
 http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120&w=2

  If a malicious local user has write access to a directory in which a
  target user is using cpio to extract or compress a file to then a
  TOCTOU bug can be exploited to change the permission of any file
  belonging to that user.

  On decompressing cpio copies the permissions from the compressed
  cpio file to the uncompressed file. However there is a gap between the
  uncompressed file being written (and it's file handler being close)
  and the permissions of the file being changed.

  During this gap a malicious user can remove the decompressed file and
  replace it with a hard-link to another file belonging to the user.
  cpio will then change the permissions on the  hard-linked file to be
  the same as that of the cpio file.

  The vulnerable line of code can be found on line 581 of the file
  copyin.c. cpio also use's chmod in a number of other places which may
  also be vulnerable to exploitation.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Clint Adams <schizo@debian.org>:
Bug#305372; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Clint Adams <schizo@debian.org>. Full text and rfc822 format available.

Message #10 received at 305372@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: 306693@bugs.debian.org, 305372@bugs.debian.org
Cc: security@debian.org, control@bugs.debian.org
Subject: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 12:42:41 +0200
[Message part 1 (text/plain, inline)]
tag 306693 patch 
tag 305372 patch
thanks

Hi!

I finally got some time to fix these issues:

  http://patches.ubuntu.com/patches/cpio.CAN-2005-1111_1229.diff

In case it is useful for a DSA, here is the USN text:

| Imran Ghory found a race condition in the handling of output files.
| While a file was unpacked with cpio, a local attacker with write
| permissions to the target directory could exploit this to change the
| permissions of arbitrary files of the cpio user. (CAN-2005-1111)
| 
| Imran Ghory discovered a path traversal vulnerability. Even when the
| --no-absolute-filenames option was specified, cpio did not filter out
| ".." path components. By tricking an user into unpacking a malicious
| cpio archive, this could be exploited to install files in arbitrary
| paths with the privileges of the user calling cpio. (CAN-2005-1229)

Have a nice day,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <martin.pitt@canonical.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#305372; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Clint Adams <schizo@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #17 received at 305372@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: Martin Pitt <martin.pitt@canonical.com>, 306693@bugs.debian.org, 305372@bugs.debian.org
Subject: Re: Bug#306693: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 09:34:03 -0400
>   http://patches.ubuntu.com/patches/cpio.CAN-2005-1111_1229.diff

Has this been sent to GNU upstream?



Information forwarded to debian-bugs-dist@lists.debian.org, Clint Adams <schizo@debian.org>:
Bug#305372; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Clint Adams <schizo@debian.org>. Full text and rfc822 format available.

Message #22 received at 305372@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Clint Adams <schizo@debian.org>
Cc: 306693@bugs.debian.org, 305372@bugs.debian.org
Subject: Re: Bug#306693: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 16:04:48 +0200
Hi Clint!

Clint Adams [2005-09-29  9:34 -0400]:
> >   http://patches.ubuntu.com/patches/cpio.CAN-2005-1111_1229.diff
> 
> Has this been sent to GNU upstream?

No idea. This vuln is ages old, but there is no new upstream version
yet, so I presume not.

Martin
-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#305372; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Clint Adams <schizo@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #27 received at 305372@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 306693@bugs.debian.org, 305372@bugs.debian.org
Subject: Re: Bug#306693: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 10:13:13 -0400
> No idea. This vuln is ages old, but there is no new upstream version
> yet, so I presume not.

Okay.  I'll send it to them so they can ignore it.



Reply sent to Clint Adams <schizo@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 305372-close@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: 305372-close@bugs.debian.org
Subject: Bug#305372: fixed in cpio 2.6-6
Date: Thu, 29 Sep 2005 08:02:07 -0700
Source: cpio
Source-Version: 2.6-6

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive:

cpio_2.6-6.diff.gz
  to pool/main/c/cpio/cpio_2.6-6.diff.gz
cpio_2.6-6.dsc
  to pool/main/c/cpio/cpio_2.6-6.dsc
cpio_2.6-6_sparc.deb
  to pool/main/c/cpio/cpio_2.6-6_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 305372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Adams <schizo@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 29 Sep 2005 10:22:52 -0400
Source: cpio
Binary: cpio
Architecture: source sparc
Version: 2.6-6
Distribution: unstable
Urgency: critical
Maintainer: Clint Adams <schizo@debian.org>
Changed-By: Clint Adams <schizo@debian.org>
Description: 
 cpio       - GNU cpio -- a program to manage archives of files
Closes: 305372 306693
Changes: 
 cpio (2.6-6) unstable; urgency=critical
 .
    * Forward-port Martin Pitt's security patch from Ubuntu:
    - SECURITY UPDATE: Modify permissions of arbitrary files, path traversal.
    - copyin.c, copypass.c: Use fchmod() and fchown() before closing the output
      file instead of chmod() and chown() after closing it. This avoids
      exploiting this race condition with a hardlink attach to chmod/chown
      arbitrary files. [CAN-2005-1111].  closes: #305372.
    - copyin.c: Separate out path sanitizing to safer_name_suffix(): Apart from
      leading slashes, filter out ".." components from output file names if
      --no-absolute-filenames is given, to avoid path traversal.  [CAN-2005-1229]
      closes: #306693.
Files: 
 e1fb620aa56b17bfbe8f70876b3203a3 547 utils important cpio_2.6-6.dsc
 2be1de38e402b437d2837bccf8d45c2a 102926 utils important cpio_2.6-6.diff.gz
 cc3987982fb748d7929582a5c5d136f7 126126 utils important cpio_2.6-6_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Debian!

iD8DBQFDO/3Z5m0u66uWM3ARAoaAAJ9IUw1h5OJNWhyZotEwvI4llUWVBgCfftMJ
NsZ43q1jkoaausRC9t5S9qY=
=YrrY
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 11:52:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:59:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.