Quote from Debian bug: This command looks safe, and is a reasonable "backup" command: find /home -type f | cpio -H tar -o > /var/backups/backup.tar But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the tar file can be made to have arbitrary content, so a restore could overwrite /etc/passwd or anything else under the restore tree, using any permissions. A world writable /dev/sda would also be bad, as would many other fun variants. Like user controlling /home/evil can inject /home/friendly/.bashrc content too. Patch at https://cement.retrofitta.se/tmp/cpio-tar.patch Patch commit message: Check for size overflow in tar header fields. This prevents surprising outputs being created, e.g. this cpio tar output with more than one file: tar cf suffix.tar AUTHORS dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar echo suffix.tar | cpio -H tar -o | tar tvf - -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
arm64 stable
x86 stable
Full stop on stabilization due to bug #700020
(In reply to Lars Wendler (Polynomial-C) from comment #3) > Full stop on stabilization due to bug #700020 No fix yet, unfortunately. --- Other vulnerabilities that 2.13 fixed: 2) CVE-2016-2037 Description: "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file."
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Unable to check for sanity: > package masked: app-arch/cpio-2.13
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0bdb974112f7857d6e50efb7d6b4b2b1ec295 commit 30d0bdb974112f7857d6e50efb7d6b4b2b1ec295 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-18 18:40:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-18 18:41:04 +0000 app-arch/cpio: patch regressions in 2.13, allowing CVE-2021-38185 fix (unkeyworded) To be keyworded after testing on more machines. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Bug: https://bugs.gentoo.org/854192 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 + app-arch/cpio/cpio-2.13-r1.ebuild | 39 ++++++++++++++++++++++ .../files/cpio-2.13-sysmacros-glibc-2.26.patch | 12 +++++++ 3 files changed, 52 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f85b11ee1faceddac7874666ad6d2b164 commit a52ec56f85b11ee1faceddac7874666ad6d2b164 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-18 19:11:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-18 19:12:00 +0000 app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames At least we can have the fix for CVE-2021-38185. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam@gentoo.org> .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild} | 1 + ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++ 2 files changed, 48 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=372a7b0084f0e8bf8ced7bba804f42c79a3b35f8 commit 372a7b0084f0e8bf8ced7bba804f42c79a3b35f8 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-30 15:58:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-30 16:31:07 +0000 app-arch/cpio: keyword 2.13-r3 Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/cpio-2.13-r3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b78649fb457fb8cfe48aa194af9233cd3cc5cc6 commit 8b78649fb457fb8cfe48aa194af9233cd3cc5cc6 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-05 02:35:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-05 02:35:53 +0000 app-arch/cpio: add 2.14 Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/738392 Bug: https://bugs.gentoo.org/807088 Bug: https://bugs.gentoo.org/854192 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 + app-arch/cpio/cpio-2.14.ebuild | 50 ++++++++++++++++++++++ .../files/cpio-2.14-sysmacros-glibc-2.26.patch | 42 ++++++++++++++++++ 3 files changed, 93 insertions(+)
I think this is fixed now upstream in 2.14? Not sure yet.
