From 07b699ab37025d33af04fb20236ec5eca02f6018 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 12 Aug 2015 15:00:03 +0200 Subject: cpio: fix CVE-2015-1197 Fixes directory traversal vulnerability via symlinks Initial report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669 Upstream report: https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 Signed-off-by: Sona Sarmadi --- .../cpio/cpio-2.11/cpio-CVE-2015-1197.patch | 154 +++++++++++++++++++++ meta/recipes-extended/cpio/cpio_2.11.bb | 1 + 2 files changed, 155 insertions(+) create mode 100644 meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch diff --git a/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch b/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch new file mode 100644 index 0000000000..b54afb867f --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch @@ -0,0 +1,154 @@ +Description: CVE-2015-1197 + Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197. + Upstream is dormant or no longer existing. To restore the old + behaviour use --extract-over-symlinks (Closes: #774669) + This issue has been discovered by Alexander Cherepanov. +Author: Vitezslav Cizek +Bug-Debian: https://bugs.debian.org/774669 + +Upstream-Status: Backport + +Signed-off-by: Robert Yang + +--- cpio-2.11+dfsg.orig/doc/cpio.1 ++++ cpio-2.11+dfsg/doc/cpio.1 +@@ -22,6 +22,7 @@ cpio \- copy files to and from archives + [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message] + [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse] + [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command] ++[\-\-extract\-over\-symlinks] + [\-\-help] [\-\-version] [pattern...] [< archive] + + .B cpio +--- cpio-2.11+dfsg.orig/src/copyin.c ++++ cpio-2.11+dfsg/src/copyin.c +@@ -700,6 +700,51 @@ copyin_link (struct cpio_file_stat *file + free (link_name); + } + ++ ++static int ++path_contains_symlink(char *path) ++{ ++ struct stat st; ++ char *slash; ++ char *nextslash; ++ ++ /* we got NULL pointer or empty string */ ++ if (!path || !*path) { ++ return false; ++ } ++ ++ slash = path; ++ ++ while ((nextslash = strchr(slash + 1, '/')) != NULL) { ++ slash = nextslash; ++ *slash = '\0'; ++ ++ if (lstat(path, &st) != 0) { ++ if (errno == ELOOP) { ++ /* ELOOP - too many symlinks */ ++ *slash = '/'; ++ return true; ++ } else if (errno == ENOMEM) { ++ /* No memory for lstat - terminate */ ++ xalloc_die(); ++ } else { ++ /* cannot lstat path - give up */ ++ *slash = '/'; ++ return false; ++ } ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ *slash = '/'; ++ return true; ++ } ++ ++ *slash = '/'; ++ } ++ ++ return false; ++} ++ + static void + copyin_file (struct cpio_file_stat *file_hdr, int in_file_des) + { +@@ -1471,6 +1516,23 @@ process_copy_in () + { + /* Copy the input file into the directory structure. */ + ++ /* Can we write files over symlinks? */ ++ if (!extract_over_symlinks) ++ { ++ if (path_contains_symlink(file_hdr.c_name)) ++ { ++ /* skip the file */ ++ /* ++ fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name); ++ tape_toss_input (in_file_des, file_hdr.c_filesize); ++ tape_skip_padding (in_file_des, file_hdr.c_filesize); ++ continue; ++ */ ++ /* terminate */ ++ error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name); ++ } ++ } ++ + /* Do we need to rename the file? */ + if (rename_flag || rename_batch_file) + { +--- cpio-2.11+dfsg.orig/src/extern.h ++++ cpio-2.11+dfsg/src/extern.h +@@ -95,6 +95,7 @@ extern char input_is_special; + extern char output_is_special; + extern char input_is_seekable; + extern char output_is_seekable; ++extern bool extract_over_symlinks; + extern int (*xstat) (); + extern void (*copy_function) (); + +--- cpio-2.11+dfsg.orig/src/global.c ++++ cpio-2.11+dfsg/src/global.c +@@ -187,6 +187,9 @@ bool to_stdout_option = false; + /* The name this program was run with. */ + char *program_name; + ++/* Extract files over symbolic links */ ++bool extract_over_symlinks; ++ + /* A pointer to either lstat or stat, depending on whether + dereferencing of symlinks is done for input files. */ + int (*xstat) (); +--- cpio-2.11+dfsg.orig/src/main.c ++++ cpio-2.11+dfsg/src/main.c +@@ -57,7 +57,8 @@ enum cpio_options { + FORCE_LOCAL_OPTION, + DEBUG_OPTION, + BLOCK_SIZE_OPTION, +- TO_STDOUT_OPTION ++ TO_STDOUT_OPTION, ++ EXTRACT_OVER_SYMLINKS + }; + + const char *program_authors[] = +@@ -222,6 +223,8 @@ static struct argp_option options[] = { + N_("Create leading directories where needed"), GRID+1 }, + {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0, + N_("Do not change the ownership of the files"), GRID+1 }, ++ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0, ++ N_("Force writing over symbolic links"), GRID+1 }, + {"unconditional", 'u', NULL, 0, + N_("Replace all files unconditionally"), GRID+1 }, + {"sparse", SPARSE_OPTION, NULL, 0, +@@ -412,6 +415,10 @@ crc newc odc bin ustar tar (all-caps als + no_chown_flag = true; + break; + ++ case EXTRACT_OVER_SYMLINKS: /* --extract-over-symlinks */ ++ extract_over_symlinks = true; ++ break; ++ + case 'o': /* Copy-out mode. */ + if (copy_function != 0) + error (PAXEXIT_FAILURE, 0, _("Mode already defined")); diff --git a/meta/recipes-extended/cpio/cpio_2.11.bb b/meta/recipes-extended/cpio/cpio_2.11.bb index 0220e8cd4a..b248bb7135 100644 --- a/meta/recipes-extended/cpio/cpio_2.11.bb +++ b/meta/recipes-extended/cpio/cpio_2.11.bb @@ -7,6 +7,7 @@ PR = "r4" SRC_URI += "file://remove-gets.patch \ file://fix-memory-overrun.patch \ + file://cpio-CVE-2015-1197.patch \ " SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c" -- cgit v1.2.3-54-g00ecf