Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699456 (CVE-2016-2037, CVE-2019-14866)

Summary: app-arch/cpio: improper input validation when writing tar header fields leads to unexpected tar generation (CVE-2016-2037, CVE-2019-14866)
Product: Gentoo Security Reporter: Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: base-system, gabriele.svelto, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://security-tracker.debian.org/tracker/CVE-2019-14866
Whiteboard: B4 [upstream cve]
Package list:
app-arch/cpio-2.13
Runtime testing required: ---
Bug Depends on: 700020, 807088, 908631    
Bug Blocks:    

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-11-06 15:58:10 UTC
Quote from Debian bug:


This command looks safe, and is a reasonable "backup" command:
find /home -type f | cpio -H tar -o > /var/backups/backup.tar

But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the
tar file can be made to have arbitrary content, so a restore could
overwrite /etc/passwd or anything else under the restore tree, using any
permissions. A world writable /dev/sda would also be bad, as would many
other fun variants. Like user controlling /home/evil can inject
/home/friendly/.bashrc content too.

Patch at https://cement.retrofitta.se/tmp/cpio-tar.patch

Patch commit message:

Check for size overflow in tar header fields.

    This prevents surprising outputs being created, e.g. this cpio tar
    output with more than one file:

    tar cf suffix.tar AUTHORS
    dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
    echo suffix.tar | cpio -H tar -o | tar tvf -

    -rw-r--r-- 1000/1000       0 2019-08-30 16:40 suffix.tar
    -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-11-14 15:17:05 UTC
arm64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2019-11-14 15:42:07 UTC
x86 stable
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-11-14 16:08:40 UTC
Full stop on stabilization due to bug #700020
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 20:09:25 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #3)
> Full stop on stabilization due to bug #700020

No fix yet, unfortunately.

---
Other vulnerabilities that 2.13 fixed:

2) CVE-2016-2037

Description:
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file."
Comment 5 NATTkA bot gentoo-dev 2020-04-06 15:05:40 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2020-05-05 19:12:43 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-04-01 20:13:23 UTC
Unable to check for sanity:

> package masked: app-arch/cpio-2.13
Comment 8 Larry the Git Cow gentoo-dev 2022-10-18 18:41:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0bdb974112f7857d6e50efb7d6b4b2b1ec295

commit 30d0bdb974112f7857d6e50efb7d6b4b2b1ec295
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-18 18:40:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-18 18:41:04 +0000

    app-arch/cpio: patch regressions in 2.13, allowing CVE-2021-38185 fix (unkeyworded)
    
    To be keyworded after testing on more machines.
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Bug: https://bugs.gentoo.org/854192
    Closes: https://bugs.gentoo.org/700020
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                             |  1 +
 app-arch/cpio/cpio-2.13-r1.ebuild                  | 39 ++++++++++++++++++++++
 .../files/cpio-2.13-sysmacros-glibc-2.26.patch     | 12 +++++++
 3 files changed, 52 insertions(+)
Comment 9 Larry the Git Cow gentoo-dev 2022-10-18 19:12:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f85b11ee1faceddac7874666ad6d2b164

commit a52ec56f85b11ee1faceddac7874666ad6d2b164
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-18 19:11:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-18 19:12:00 +0000

    app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames
    
    At least we can have the fix for CVE-2021-38185.
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Closes: https://bugs.gentoo.org/700020
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild}   |  1 +
 ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
Comment 10 Larry the Git Cow gentoo-dev 2022-10-30 16:31:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=372a7b0084f0e8bf8ced7bba804f42c79a3b35f8

commit 372a7b0084f0e8bf8ced7bba804f42c79a3b35f8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-30 15:58:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-30 16:31:07 +0000

    app-arch/cpio: keyword 2.13-r3
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/cpio-2.13-r3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Larry the Git Cow gentoo-dev 2023-05-05 02:38:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b78649fb457fb8cfe48aa194af9233cd3cc5cc6

commit 8b78649fb457fb8cfe48aa194af9233cd3cc5cc6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-05 02:35:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-05 02:35:53 +0000

    app-arch/cpio: add 2.14
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/738392
    Bug: https://bugs.gentoo.org/807088
    Bug: https://bugs.gentoo.org/854192
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                             |  1 +
 app-arch/cpio/cpio-2.14.ebuild                     | 50 ++++++++++++++++++++++
 .../files/cpio-2.14-sysmacros-glibc-2.26.patch     | 42 ++++++++++++++++++
 3 files changed, 93 insertions(+)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-05 02:40:09 UTC
I think this is fixed now upstream in 2.14? Not sure yet.