FreeBSD Bugzilla – Attachment 165785 Details for
Bug 206386
vendor/libarchive: directory traversal vulnerability/local denial of services
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vendor/libarchive/dist: Apply CVE-2015-2304 patch
vendor_libarchive_dist-CVE-2015-2304.patch (text/plain), 5.83 KB, created by
Jason Unovitch
on 2016-01-18 23:57:27 UTC
(
hide
)
Description:
vendor/libarchive/dist: Apply CVE-2015-2304 patch
Filename:
MIME Type:
Creator:
Jason Unovitch
Created:
2016-01-18 23:57:27 UTC
Size:
5.83 KB
patch
obsolete
>SVN patch based off: > >commit 59357157706d47c365b2227739e17daba3607526 >Author: Alessandro Ghedini <alessandro@ghedini.me> >Date: Sun Mar 1 12:07:45 2015 +0100 > > Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option > > This fixes a directory traversal in the cpio tool. > >Index: vendor/libarchive/dist/cpio/bsdcpio.1 >=================================================================== >--- vendor/libarchive/dist/cpio/bsdcpio.1 (revision 294293) >+++ vendor/libarchive/dist/cpio/bsdcpio.1 (working copy) >@@ -156,7 +156,8 @@ > .It Fl Fl insecure > (i and p mode only) > Disable security checks during extraction or copying. >-This allows extraction via symbolic links and path names containing >+This allows extraction via symbolic links, absolute paths, >+and path names containing > .Sq .. > in the name. > .It Fl J , Fl Fl xz >Index: vendor/libarchive/dist/cpio/cpio.c >=================================================================== >--- vendor/libarchive/dist/cpio/cpio.c (revision 294293) >+++ vendor/libarchive/dist/cpio/cpio.c (working copy) >@@ -179,6 +179,7 @@ > cpio->extract_flags |= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER; > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_SYMLINKS; > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; >+ cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > cpio->extract_flags |= ARCHIVE_EXTRACT_PERM; > cpio->extract_flags |= ARCHIVE_EXTRACT_FFLAGS; > cpio->extract_flags |= ARCHIVE_EXTRACT_ACL; >@@ -264,6 +265,7 @@ > case OPTION_INSECURE: > cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS; > cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT; >+ cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > break; > case 'L': /* GNU cpio */ > cpio->option_follow_links = 1; >Index: vendor/libarchive/dist/libarchive/archive.h >=================================================================== >--- vendor/libarchive/dist/libarchive/archive.h (revision 294293) >+++ vendor/libarchive/dist/libarchive/archive.h (working copy) >@@ -562,6 +562,8 @@ > /* Default: Do not use HFS+ compression if it was not compressed. */ > /* This has no effect except on Mac OS v10.6 or later. */ > #define ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED (0x8000) >+/* Default: Do not reject entries with absolute paths */ >+#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000) > > __LA_DECL int archive_read_extract(struct archive *, struct archive_entry *, > int flags); >Index: vendor/libarchive/dist/libarchive/archive_write_disk.3 >=================================================================== >--- vendor/libarchive/dist/libarchive/archive_write_disk.3 (revision 294293) >+++ vendor/libarchive/dist/libarchive/archive_write_disk.3 (working copy) >@@ -177,6 +177,9 @@ > Note that paths ending in > .Pa .. > always cause an error, regardless of this flag. >+.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS >+Refuse to extract an absolute path. >+The default is to not refuse such paths. > .It Cm ARCHIVE_EXTRACT_SPARSE > Scan data for blocks of NUL bytes and try to recreate them with holes. > This results in sparse files, independent of whether the archive format >Index: vendor/libarchive/dist/libarchive/archive_write_disk_posix.c >=================================================================== >--- vendor/libarchive/dist/libarchive/archive_write_disk_posix.c (revision 294293) >+++ vendor/libarchive/dist/libarchive/archive_write_disk_posix.c (working copy) >@@ -2504,8 +2504,9 @@ > /* > * Canonicalize the pathname. In particular, this strips duplicate > * '/' characters, '.' elements, and trailing '/'. It also raises an >- * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is >- * set) any '..' in the path. >+ * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is >+ * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS >+ * is set) if the path is absolute. > */ > static int > cleanup_pathname(struct archive_write_disk *a) >@@ -2524,8 +2525,15 @@ > cleanup_pathname_win(a); > #endif > /* Skip leading '/'. */ >- if (*src == '/') >+ if (*src == '/') { >+ if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { >+ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, >+ "Path is absolute"); >+ return (ARCHIVE_FAILED); >+ } >+ > separator = *src++; >+ } > > /* Scan the pathname one element at a time. */ > for (;;) { >Index: vendor/libarchive/dist/libarchive/test/test_write_disk_secure.c >=================================================================== >--- vendor/libarchive/dist/libarchive/test/test_write_disk_secure.c (revision 294293) >+++ vendor/libarchive/dist/libarchive/test/test_write_disk_secure.c (working copy) >@@ -178,6 +178,29 @@ > assert(S_ISDIR(st.st_mode)); > archive_entry_free(ae); > >+ /* >+ * Without security checks, we should be able to >+ * extract an absolute path. >+ */ >+ assert((ae = archive_entry_new()) != NULL); >+ archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); >+ archive_entry_set_mode(ae, S_IFREG | 0777); >+ assert(0 == archive_write_header(a, ae)); >+ assert(0 == archive_write_finish_entry(a)); >+ assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); >+ assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp")); >+ >+ /* But with security checks enabled, this should fail. */ >+ assert(archive_entry_clear(ae) != NULL); >+ archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); >+ archive_entry_set_mode(ae, S_IFREG | 0777); >+ archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS); >+ failure("Extracting an absolute path should fail here."); >+ assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae)); >+ archive_entry_free(ae); >+ assert(0 == archive_write_finish_entry(a)); >+ assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); >+ > assertEqualInt(ARCHIVE_OK, archive_write_free(a)); > > /* Test the entries on disk. */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=165785">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 206386
: 165785 |
165786
|
165895