Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools

[Ian Norton <Ian.Norton () entrust com>]

On Wednesday 23 April 2025 at 17:04 Jakub Wilk <jwilk () jwilk net> wrote
> > CVE-2023-39810
> But it seems busybox committed a different patch, which looks good:
> https:/git.busybox.net/busybox/commit/?id=9a8796436b9b0641
> ("archival: disallow path traversals (CVE-2023-39810)")
>
> The essence of the patch is:
>
> +#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
> +       /* Strip leading "/" and up to last "/../" path component */
> +       dst_name = (char *)strip_unsafe_prefix(dst_name);
> +#endif

Yes, that looks better, but it is still an opt-in. Users would need to compile
Busybox with the FEATURE_PATH_TRAVERSAL_PROTECTION feature enabled.

--
Ian

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom 
they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the 
information it contains. Please notify Entrust immediately and delete the message from your system.