Quote from Debian bug:
This command looks safe, and is a reasonable "backup" command:
find /home -type f | cpio -H tar -o > /var/backups/backup.tar
But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the
tar file can be made to have arbitrary content, so a restore could
overwrite /etc/passwd or anything else under the restore tree, using any
permissions. A world writable /dev/sda would also be bad, as would many
other fun variants. Like user controlling /home/evil can inject
/home/friendly/.bashrc content too.
Patch at https://cement.retrofitta.se/tmp/cpio-tar.patch
Patch commit message:
Check for size overflow in tar header fields.
This prevents surprising outputs being created, e.g. this cpio tar
output with more than one file:
tar cf suffix.tar AUTHORS
dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
echo suffix.tar | cpio -H tar -o | tar tvf -
-rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar
-rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
Full stop on stabilization due to bug #700020
(In reply to Lars Wendler (Polynomial-C) from comment #3)
> Full stop on stabilization due to bug #700020
No fix yet, unfortunately.
Other vulnerabilities that 2.13 fixed:
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file."
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Unable to check for sanity:
> package masked: app-arch/cpio-2.13