Debian Bug report logs - #306693
[CAN-2005-1229] cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)

version graph

Package: cpio; Maintainer for cpio is Anibal Monsalve Salazar <anibal@debian.org>; Source for cpio is src:cpio.

Reported by: gambarimasu+reportbug@gmail.com

Date: Thu, 28 Apr 2005 02:03:02 UTC

Severity: grave

Tags: patch, security

Found in version 2.5-1.2

Fixed in version cpio/2.6-6

Done: Clint Adams <schizo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, gambarimasu+reportbug@gmail.com, Brian Mays <brian@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to gambarimasu+reportbug@gmail.com:
New Bug report received and forwarded. Copy sent to gambarimasu+reportbug@gmail.com, Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: gambarimasu+reportbug@gmail.com
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: gambarimasu+reportbugcc@gmail.com, bug-cpio@gnu.org
Subject: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)
Date: Wed, 27 Apr 2005 18:47:41 -0700
Package: cpio
Version: 2.5-1.2
Severity: normal


Hi,

OK, several related issues here.  You probably already see where I am
going, but please humor me for a minute just in case.  Not sure if I'm
supposed to file with debian or with cpio's own bug lair.

I believe (IMHO) that this is a security issue and should be fixed
soon.  Anybody can create an archive and put it on the net that lots
of trusting people will run cpio -i on to inadvertently write a file
in, say, /etc/cron.daily.

~# touch /etc/cron.daily/aaa
~# find /etc/cron.daily/aaa|cpio -o>a.cpio
1 block
~# \rm -v /etc/cron.daily/aaa 
removed `/etc/cron.daily/aaa'

Imagine that that file is buried deep in a huge archive of files with
innocent relative pathnames, and was made executable first.  Now the
unsuspecting user (who should, but does not, know better), does this:

~# cpio -t < a.cpio 
.... lots of innocent files
/etc/cron.daily/aaa
.... lots of innocent files
1 block
~# cpio -i < a.cpio		#oops, forgot an option
1 block

And does not do this:

~# ls -l /etc/cron.daily/aaa 
-rw-------  1 root root 0 Apr 27 18:23 /etc/cron.daily/aaa
~# \rm -v /etc/cron.daily/aaa
removed `/etc/cron.daily/aaa'

Note that the user should have used the --no-absolute-filenames
option, but did not.  So you could say it's preventable.  But consider
what happens if the pathname is relative:

~# find ../../../../../../../../../../../../etc/cron.daily/aaa | cpio -o>a.cpio

Now that option will not help.  To prevent that requires preprocessing
the archive with cpio -t and grep '\.\.'.  How many users do that?
Especially on a large archive?

OK, here are my comments:

First, there is no way that I know of within cpio -o to prohibit
absolute pathnames and .. in a pathname.  This is important to flag
mistakes in the input and to prevent somebody who runs cpio -i
(including unfixed versions of cpio) from inadvertently installing
your files in unexpected (i.e. not below pwd) places.  IMHO safety
should be the default, but an option would be OK if necessary.
Prohibiting ^/ and \.\. is easy in a shell, but it should be built in
to make error handling easier.  Of course, this doesn't solve the
security problem.  It just avoids mistakes.

Second, more importantly, cpio -o does not by default prohibit
absolute filenames.  The option --no-absolute-filenames is an OK
workaround, but IMHO it should be the default.

Third, even more importantly, cpio -o does not by default or via an
option appear to check for .. in pathnames.  Using .. in the archive
is rarely needed, and IMHO it should be disallowed by default.  At
least, it should be an option.  (If it is disallowed by default, a nop
option to disallow should probably still be provided so that other
versions of cpio will (ideally) balk at an unrecognized option,
tipping the user to be more careful.)

Finally, I have a related wishlist item, which is an option to cpio -o
archives in which all pathnames, whether relative or absolute, are
converted to fully canonical (but NOT symlink-dereferenced unless -L
is used) relativized absolute pathnames.  By this I mean that cpio -o
with this option should canonicalize relative paths into absolute
paths, but remove the leading / (except for /, of course).  This
ensures best safety for unsuspecting cpio -i users, and is a commonly
needed uniform format.

It might be argued that --canonical should be up to the pipeline that
calls cpio -o, but in practice, getting these safety and security
issues right in all cases, including when NULs delimit files, and
including portability concerns, is nontrivial.

I am aware that these issues often apply to other archivers also, but
have not filed reports there.  Over the years they have slowly been
addressing some of them, but not all of them.

I'd like a CC:/BCC: on any and all discussion about this topic, if
possible.

Thanks.  And thanks for cpio; it is my favorite archiver.

gmail ! gambarimasu+reportbug

P.S.  There is another can of worms, which I won't open (much) for
symlinks (e.g. the -L option) and ancillary issues like overwriting of
existing files, trailing slash, and the known issue of what to do for
directories that come after the files in the directories.  For
example, normally we want symlinks not to be dereferenced, so
canonicalizing .. must not also do that by default.  People want a
variety of things here, so the more orthogonality the better.  For
example, most of the time we want /home/me/mysymlink/mydir/myfile to
be archived with the mysymlink intact, and /home/me/mysymlink to be
archived simply as a symlink, but some people might want defined (in
the man page) behavior for trailing slash, such as archiving the
referent if there is a trailing slash.  Of course, it would be nice if
find had options to control some of these things without preprocessing
of the command line and postprocessing of the output.  Overall, I
would like to see a bit more documentation in the cpio man page that
defines what happens if, e.g. a non-writable dir is extracted before
its files (e.g. just how critical is it that cpio -i be called with
find -depth or find | sort -r), or a trailing slash is used.  All of
these issues are related in one way or another.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cpio depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Brian Mays <brian@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to gambarimasu+spamsucks@gmail.com:
Extra info received and forwarded to list. Copy sent to Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #10 received at 306693@bugs.debian.org (full text, mbox):

From: t takahashi <gambarimasu@gmail.com>
To: 306693@bugs.debian.org, bug-cpio@gnu.org
Cc: gambarimasu+reportbugcc@gmail.com
Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)
Date: Wed, 27 Apr 2005 19:54:54 -0700
P.P.S.  I found a more subtle security hole.  It is even more dangerous.

/tmp/aaa$ mkdir ../b
/tmp/aaa$ ln -s ../b b
/tmp/aaa$ touch ../b/trojan
/tmp/aaa$ ls b
trojan
/tmp/aaa$ find b b/trojan
b
b/trojan
/tmp/aaa$ find b b/trojan | cpio -o > dangerous
cpio: b: truncating inode number
cpio: b/trojan: truncating inode number
1 block
/tmp/aaa$ /bin/rm -v b/trojan b
removed `b/trojan'
removed `b'
/tmp/aaa$ ls
dangerous
/tmp/aaa$ cpio -t<dangerous 
b
b/trojan
1 block
/tmp/aaa$ cpio -vt<dangerous 
lrwxrwxrwx   1 kpc      kpc             4 Apr 27 19:46 b -> ../b
-rw-------   1 kpc      kpc             0 Apr 27 19:46 b/trojan
1 block

Notice that grep '\.\.' on the output of cpio -t would not find the
relative pathname.  You have to use cpio -vt.  Now watch this:

/tmp/aaa$ cpio -i<dangerous 
1 block
/tmp/aaa$ ls
b  dangerous
/tmp/aaa$ ls ../b
trojan

IMHO cpio should disallow this by default.  Imagine
../../../../../../../etc/cron.daily again.  cpio should check for
extracting in directories that are not below pwd, even if it is via
indirect means such as a symlink.

Wow!



Information forwarded to debian-bugs-dist@lists.debian.org, Brian Mays <brian@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to gambarimasu+spamsucks@gmail.com:
Extra info received and forwarded to list. Copy sent to Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #15 received at 306693@bugs.debian.org (full text, mbox):

From: t takahashi <gambarimasu@gmail.com>
To: gambarimasu+reportbug@gmail.com, 306693@bugs.debian.org
Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)
Date: Thu, 28 Apr 2005 16:58:48 -0700
severity: important

After looking at the severities of other cpio bug reports that have
been around for hundreds of days, I concluded that this should be
important instead of normal.



Information forwarded to debian-bugs-dist@lists.debian.org, Brian Mays <brian@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to gambarimasu+spamsucks@gmail.com:
Extra info received and forwarded to list. Copy sent to Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #20 received at 306693@bugs.debian.org (full text, mbox):

From: t takahashi <gambarimasu@gmail.com>
To: gambarimasu+reportbug@gmail.com, 306693@bugs.debian.org
Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)
Date: Thu, 28 Apr 2005 17:08:22 -0700
tags: security

The docs suggest grave or critical for security bugs, but I'm not sure
whether that is appropriate.



Information forwarded to debian-bugs-dist@lists.debian.org, Brian Mays <brian@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to gambarimasu+spamsucks@gmail.com:
Extra info received and forwarded to list. Copy sent to Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #25 received at 306693@bugs.debian.org (full text, mbox):

From: t takahashi <gambarimasu@gmail.com>
To: 306693@bugs.debian.org
Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)
Date: Sat, 21 May 2005 14:04:12 -0700
Tags: security
Severity: grave



Information forwarded to debian-bugs-dist@lists.debian.org, Brian Mays <brian@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Brian Mays <brian@debian.org>. Full text and rfc822 format available.

Message #30 received at 306693@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 306693@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Raising severity, CAN number
Date: Mon, 25 Jul 2005 09:17:18 +0200
[Message part 1 (text/plain, inline)]
Tags: security
Severity: grave
thanks

Hi!

As t takahashi already wanted to do, I'm raising the severity and
adding the security tag.

This is CAN-2005-1229 [1], please mention this number in the changelog
when you fix this.

Thanks,

Martin

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Tags added: security Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave'. Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Clint Adams <schizo@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Clint Adams <schizo@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Clint Adams <schizo@debian.org>. Full text and rfc822 format available.

Message #41 received at 306693@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: 306693@bugs.debian.org, 305372@bugs.debian.org
Cc: security@debian.org, control@bugs.debian.org
Subject: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 12:42:41 +0200
[Message part 1 (text/plain, inline)]
tag 306693 patch 
tag 305372 patch
thanks

Hi!

I finally got some time to fix these issues:

  http://patches.ubuntu.com/patches/cpio.CAN-2005-1111_1229.diff

In case it is useful for a DSA, here is the USN text:

| Imran Ghory found a race condition in the handling of output files.
| While a file was unpacked with cpio, a local attacker with write
| permissions to the target directory could exploit this to change the
| permissions of arbitrary files of the cpio user. (CAN-2005-1111)
| 
| Imran Ghory discovered a path traversal vulnerability. Even when the
| --no-absolute-filenames option was specified, cpio did not filter out
| ".." path components. By tricking an user into unpacking a malicious
| cpio archive, this could be exploited to install files in arbitrary
| paths with the privileges of the user calling cpio. (CAN-2005-1229)

Have a nice day,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <martin.pitt@canonical.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Clint Adams <schizo@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #48 received at 306693@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: Martin Pitt <martin.pitt@canonical.com>, 306693@bugs.debian.org, 305372@bugs.debian.org
Subject: Re: Bug#306693: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 09:34:03 -0400
>   http://patches.ubuntu.com/patches/cpio.CAN-2005-1111_1229.diff

Has this been sent to GNU upstream?



Information forwarded to debian-bugs-dist@lists.debian.org, Clint Adams <schizo@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Clint Adams <schizo@debian.org>. Full text and rfc822 format available.

Message #53 received at 306693@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Clint Adams <schizo@debian.org>
Cc: 306693@bugs.debian.org, 305372@bugs.debian.org
Subject: Re: Bug#306693: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 16:04:48 +0200
Hi Clint!

Clint Adams [2005-09-29  9:34 -0400]:
> >   http://patches.ubuntu.com/patches/cpio.CAN-2005-1111_1229.diff
> 
> Has this been sent to GNU upstream?

No idea. This vuln is ages old, but there is no new upstream version
yet, so I presume not.

Martin
-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to Clint Adams <schizo@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #58 received at 306693@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 306693@bugs.debian.org, 305372@bugs.debian.org
Subject: Re: Bug#306693: Ubuntu patch for cpio CAN-2005-1111 and CAN-2005-1229
Date: Thu, 29 Sep 2005 10:13:13 -0400
> No idea. This vuln is ages old, but there is no new upstream version
> yet, so I presume not.

Okay.  I'll send it to them so they can ignore it.



Reply sent to Clint Adams <schizo@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to gambarimasu+reportbug@gmail.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #63 received at 306693-close@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: 306693-close@bugs.debian.org
Subject: Bug#306693: fixed in cpio 2.6-6
Date: Thu, 29 Sep 2005 08:02:07 -0700
Source: cpio
Source-Version: 2.6-6

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive:

cpio_2.6-6.diff.gz
  to pool/main/c/cpio/cpio_2.6-6.diff.gz
cpio_2.6-6.dsc
  to pool/main/c/cpio/cpio_2.6-6.dsc
cpio_2.6-6_sparc.deb
  to pool/main/c/cpio/cpio_2.6-6_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 306693@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Adams <schizo@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 29 Sep 2005 10:22:52 -0400
Source: cpio
Binary: cpio
Architecture: source sparc
Version: 2.6-6
Distribution: unstable
Urgency: critical
Maintainer: Clint Adams <schizo@debian.org>
Changed-By: Clint Adams <schizo@debian.org>
Description: 
 cpio       - GNU cpio -- a program to manage archives of files
Closes: 305372 306693
Changes: 
 cpio (2.6-6) unstable; urgency=critical
 .
    * Forward-port Martin Pitt's security patch from Ubuntu:
    - SECURITY UPDATE: Modify permissions of arbitrary files, path traversal.
    - copyin.c, copypass.c: Use fchmod() and fchown() before closing the output
      file instead of chmod() and chown() after closing it. This avoids
      exploiting this race condition with a hardlink attach to chmod/chown
      arbitrary files. [CAN-2005-1111].  closes: #305372.
    - copyin.c: Separate out path sanitizing to safer_name_suffix(): Apart from
      leading slashes, filter out ".." components from output file names if
      --no-absolute-filenames is given, to avoid path traversal.  [CAN-2005-1229]
      closes: #306693.
Files: 
 e1fb620aa56b17bfbe8f70876b3203a3 547 utils important cpio_2.6-6.dsc
 2be1de38e402b437d2837bccf8d45c2a 102926 utils important cpio_2.6-6.diff.gz
 cc3987982fb748d7929582a5c5d136f7 126126 utils important cpio_2.6-6_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Debian!

iD8DBQFDO/3Z5m0u66uWM3ARAoaAAJ9IUw1h5OJNWhyZotEwvI4llUWVBgCfftMJ
NsZ43q1jkoaausRC9t5S9qY=
=YrrY
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Clint Adams <schizo@debian.org>:
Bug#306693; Package cpio. Full text and rfc822 format available.

Acknowledgement sent to t takahashi <gambarimasu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Clint Adams <schizo@debian.org>. Full text and rfc822 format available.

Message #68 received at 306693@bugs.debian.org (full text, mbox):

From: t takahashi <gambarimasu@gmail.com>
To: 306693@bugs.debian.org
Subject: Re: Bug#306693 acknowledged by developer (Bug#306693: fixed in cpio 2.6-6)
Date: Fri, 30 Sep 2005 02:18:09 -0700
>    - copyin.c: Separate out path sanitizing to safer_name_suffix(): Apart from
>     leading slashes, filter out ".." components from output file names if
>     --no-absolute-filenames is given, to avoid path traversal.  [CAN-2005-1229]
>     closes: #306693.

bug submitter here.

thanks for working on this.

does this mean cpio -i --no-absolute-filenames?

i have not tried the new version yet (i will as soon as possible but
it will be a while so i wanted to respond now).  does it address
symlinks with .. also (i.e. my second note)?


--
Webmaster: do you believe that people will switch browsers to view
your page instead of going to your competitor?



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 04:28:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 21:41:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.