Re: A possible regression in busybox-static version 1:1.22.0-9+deb8u2

To: Markus Koschany <apo@debian.org>
Cc: debian-lts@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: A possible regression in busybox-static version 1:1.22.0-9+deb8u2
From: jhcha54008 <jhcha54008@free.fr>
Date: Thu, 2 Aug 2018 12:41:56 +0200
Message-id: <[🔎] 20180802104156.GA6512@dtl64-seine>
In-reply-to: <b79e6303-c5f5-a8e8-c23c-d9d0685d03be@debian.org>
References: <20180730200126.GA6441@dtl64-seine> <b79e6303-c5f5-a8e8-c23c-d9d0685d03be@debian.org>

Hi,
Thank you for your quick answer and for this corrected version 1:1.22.0-9+deb8u3
 
Le mardi 31 juillet à 08h 09mn 07s (+0800), Markus Koschany a écrit :
> Am 31.07.2018 um 04:01 schrieb jhcha54008:
> > Hi,
> > 
> > 2) It doesn't extract symlinks from a cpio archive if the target
> > path contains (at least) one slash (ie absolute symlinks and
> > relative symlinks towards another directory are not extracted).
> 
> [...]
> 
> This is related to CVE-2011-5325 and at first glance this looks correct
> to me. CVE-2011-5325 was about a symlinking attack.
> 
> Taken from CVE-2011-5325_part1.patch:
> 
> For example, consider a .tar created via:
> tar cvf bug.tar anything.txt
> ln -s /tmp symlink
> tar --append -f bug.tar symlink
> rm symlink
> mkdir symlink
> tar --append -f bug.tar symlink/evil.py
> 
> This will result in an archive that contains:
> tar --list -f bug.tar
> anything.txt
> symlink [-> /tmp]
> symlink/evil.py
> 
> Untarring bug.tar would otherwise place evil.py in '/tmp'.
> 
> The patch fixes the issue.
> 
> Your example matches this scenario because you have a lib64 directory
> and a symlink that is also called lib64/ld-linux-x86-64.so.2.
> 
> This change is still present in the latest busybox release in Debian. We
> could revert it but then you would be vulnerable again.
> 
> 
> Regards,
> 
> Markus
> 

Thank you for your explanation. But I am probably still missing something : what is the
rule to distinguish legitimate/evil symlinks ?

My question was : is it still possible to do system backup restoration with busybox-static cpio ?

I get a restored system with numerous symlinks missing and no dynamically linked
executable may run (because the path to the ELF-loader is missing too) - including /sbin/init
(the system doesn't boot farther)

Rewriting the example of my previous message (with busybox-static 1:1.22.0-9+deb8u3) :

$ zcat archive.cpio.gz | cpio -itv
drwxr-xr-x  14 root     root            0 Jul 26 21:57 lib
drwxr-xr-x   3 root     root            0 Jul 26 21:57 lib/x86_64-linux-gnu
-rwxr-xr-x   1 root     root       140928 Jul 26 21:57 lib/x86_64-linux-gnu/ld-2.19.so
drwxr-xr-x   2 root     root            0 Jul 26 21:57 lib64
lrwxrwxrwx   1 root     root           32 Jul 26 21:57 lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.19.so
277 blocks
$ busybox gunzip - < archive.cpio.gz | busybox cpio -i
277 blocks
$ ls -ARlF
.:
total 0
drwxr-xr-x 3 me me 60 Aug  2 12:14 lib/
drwxr-xr-x 2 me me 40 Aug  2 12:14 lib64/

./lib:
total 0
drwxr-xr-x 2 me me 60 Aug  2 12:14 x86_64-linux-gnu/

./lib/x86_64-linux-gnu:
total 140
-rwxr-xr-x 1 me me 140928 Aug  2 12:14 ld-2.19.so*

./lib64:
total 0

Regards,
JH Chatenet

Reply to:

Follow-Ups:
- Re: A possible regression in busybox-static version 1:1.22.0-9+deb8u2
  - From: jhcha54008 <jhcha54008@free.fr>

Prev by Date: Going to nm
Next by Date: Re: upload ant
Previous by thread: Going to nm
Next by thread: Re: A possible regression in busybox-static version 1:1.22.0-9+deb8u2
Index(es):
- Date
- Thread