Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536010 (CVE-2015-1197) - <app-arch/cpio-2.11-r2: directory traversal through symlinks (CVE-2015-1197)
Summary: <app-arch/cpio-2.11-r2: directory traversal through symlinks (CVE-2015-1197)
Status: RESOLVED FIXED
Alias: CVE-2015-1197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa glsa]
Keywords:
Depends on: CVE-2014-9112
Blocks:
  Show dependency tree
 
Reported: 2015-01-08 10:37 UTC by Agostino Sarubbo
Modified: 2019-11-14 19:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-08 10:37:56 UTC
From ${URL} :

It was reported [1] that cpio is susceptible to a directory traversal vulnerability.

Original report follows:
...
While extracting an archive, it will extract symlinks and then follow them if 
they are referenced in further entries. This can be exploited by a rogue 
archive to write files outside the current directory.

Example:

1) create a sample archive:

ln -s /tmp dir
echo dir | cpio -oF test.cpio
rm dir
mkdir dir
echo hello > dir/file
echo dir/file | cpio -oAF test.cpio
rm -r dir

2) test it:

cpio --no-absolute-filenames -ivF test.cpio

This will create a symlink "dir" in the current directory and a file 
"/tmp/file".
...

No patches are available at this time.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tony Vroon gentoo-dev 2015-01-09 11:43:36 UTC
+*cpio-2.11-r2 (09 Jan 2015)
+
+  09 Jan 2015; Tony Vroon <chainsaw@gentoo.org> +cpio-2.11-r2.ebuild,
+  +files/cpio-2.11-security.patch:
+  Scavenge upstream bug fixes for heap-based buffer overflow and directory
+  traversal through symlinks. For security bugs #530512 and #536010.

Suggest stabilisation is handled in bug #530512.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-02-15 14:50:06 UTC
This issue was resolved and addressed in
 GLSA 201502-11 at http://security.gentoo.org/glsa/glsa-201502-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-03-03 14:25:17 UTC
CVE-2015-1197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1197):
  cpio 2.11, when using the --no-absolute-filenames option, allows local users
  to write to arbitrary files via a symlink attack on a file in an archive.
Comment 4 Alexander Tsoy 2019-11-14 19:06:05 UTC
cpio-2.11-security.patch was dropped with 2.12 bump [1]. And upstream fixed this security issue in 2.13 [2] (currently pmasked). Should this bug be reopened?

[1] https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65dd197d2dbddb0c95bbdde6097f5cce748c1fb9
[2] https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca