| Summary: | <sys-apps/busybox-1.28.0: tar directory traversal | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | embedded |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.busybox.net/8411 | ||
| See Also: | https://bugs.busybox.net/show_bug.cgi?id=8411 | ||
| Whiteboard: | A4 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 638258 | ||
| Bug Blocks: | |||
From $URL: Thanks for detailing this bug. I can now confirm that this has been exploited "in the wild" to root / jailbreak DJI Mavic, Spark, Inspire2, and Phantom 4 drone series. Exploit here for posterity https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring.rb#L24 Thanks for pushing to get this patched. It has festered for a while. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7271c533c68a35f72cdb907d3e2743275505c5c6 commit 7271c533c68a35f72cdb907d3e2743275505c5c6 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2018-01-24 04:11:19 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2018-01-24 04:14:46 +0000 sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258 Bug: https://bugs.gentoo.org/563756 Bug: https://bugs.gentoo.org/635392 Bug: https://bugs.gentoo.org/638258 sys-apps/busybox/Manifest | 1 + sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++ 2 files changed, 311 insertions(+)} This issue was resolved and addressed in GLSA 201803-12 at https://security.gentoo.org/glsa/201803-12 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : Hello - The BusyBox implementation of tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. This behavior was documented in the BusyBox source with the following 2011 commit: http://git.busybox.net/busybox/commit/?id=a116552869db5e7793ae10968eb3c962c69b3d8c I've created an upstream bug report: https://bugs.busybox.net/8411 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.