oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: vulnerabilities in busybox tar and cpio tools

From: Jakub Wilk <jwilk () jwilk net>
Date: Wed, 23 Apr 2025 18:02:05 +0200
* Ian Norton <Ian.Norton () entrust com>, 2025-04-23 14:11:

https://security-tracker.debian.org/tracker/CVE-2023-39810
This is: "An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal." 


see also https://lists.busybox.net/pipermail/busybox/2024-July/090851.html
This patch appears to be using a realpath(3)-like function, which is not a good tool for this purpose. The function is fundamentally racy, as it could traverse symlinks that are not under your control.
Even worse, on Linux systems you can abuse magic links in /proc to spoof what realpath(3) returns in a race-free manner (although that works only against yourself or root). See https://codeberg.org/jwilk/surrealpath for a proof of concept. 

But it seems busybox committed a different patch, which looks good:
https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641
("archival: disallow path traversals (CVE-2023-39810)")

The essence of the patch is:

+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+       /* Strip leading "/" and up to last "/../" path component */
+       dst_name = (char *)strip_unsafe_prefix(dst_name);
+#endif

--
Jakub Wilk
Previous By Date Next
Previous By Thread Next

Current thread: