tar: postpone creation of symlinks with "suspicious" targets. Closes 8411

function old new delta data_extract_all 968 1038 +70 tar_main 952 986 +34 scan_tree 258 262 +4 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 3/0 up/down: 108/0) Total: 108 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2017-07-24 17:20:13 +0200
committer: Denys Vlasenko <vda.linux@googlemail.com> 2017-07-24 17:20:13 +0200
commit: b920a38dc0a87f5884444d4731a8b887b5e16018 (patch)
tree: 5d845976a9471e705183db9afbbe7885e9070b52
parent: c810978552bc0133ba723ababaa178c8d53256e1 (diff)
download: busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.gz
busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.bz2
busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.zip
6 files changed, 130 insertions, 36 deletions
diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
index 1830ffb8d..1ce927c2f 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,11 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
                res = link(hard_link, dst_name);
                if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
                        /* shared message */
-                        bb_perror_msg("can't create %slink "
+                        bb_perror_msg("can't create %slink '%s' to '%s'",
-                                        "%s to %s", "hard",
+                                        "hard",
                                        dst_name,
-                                        hard_link);
+                                        hard_link
+                        );
                }
                /* Hardlinks have no separate mode/ownership, skip chown/chmod */
                goto ret;
@@ -178,15 +179,44 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
        case S_IFLNK:
                /* Symlink */
 //TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
+                /* To avoid a directory traversal attack via symlinks,
+                 * for certain link targets postpone creation of symlinks.
+                 *
+                 * For example, consider a .tar created via:
+                 *  $ tar cvf bug.tar anything.txt
+                 *  $ ln -s /tmp symlink
+                 *  $ tar --append -f bug.tar symlink
+                 *  $ rm symlink
+                 *  $ mkdir symlink
+                 *  $ tar --append -f bug.tar symlink/evil.py
+                 *
+                 * This will result in an archive that contains:
+                 *  $ tar --list -f bug.tar
+                 *  anything.txt
+                 *  symlink [-> /tmp]
+                 *  symlink/evil.py
+                 *
+                 * Untarring bug.tar would otherwise place evil.py in '/tmp'.
+                 */
+                if (file_header->link_target[0] == '/'
+                 || strstr(file_header->link_target, "..")
+                ) {
+                        llist_add_to(&archive_handle->symlink_placeholders,
+                                xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
+                        );
+                        break;
+                }
                res = symlink(file_header->link_target, dst_name);
                if (res != 0
                 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
                ) {
                        /* shared message */
-                        bb_perror_msg("can't create %slink "
+                        bb_perror_msg("can't create %slink '%s' to '%s'",
-                                "%s to %s", "sym",
+                                "sym",
                                dst_name,
-                                file_header->link_target);
+                                file_header->link_target
+                        );
                }
                break;
        case S_IFSOCK:
diff --git a/archival/tar.c b/archival/tar.c
index 0fc574dfd..280ded4e1 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -22,24 +22,6 @@
 *
 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
 */
-/* TODO: security with -C DESTDIR option can be enhanced.
- * Consider tar file created via:
- * $ tar cvf bug.tar anything.txt
- * $ ln -s /tmp symlink
- * $ tar --append -f bug.tar symlink
- * $ rm symlink
- * $ mkdir symlink
- * $ tar --append -f bug.tar symlink/evil.py
- *
- * This will result in an archive which contains:
- * $ tar --list -f bug.tar
- * anything.txt
- * symlink
- * symlink/evil.py
- *
- * Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
- * This doesn't feel right, and IIRC GNU tar doesn't do that.
- */
 //config:config TAR
 //config:       bool "tar (40 kb)"
@@ -296,6 +278,23 @@ static void chksum_and_xwrite(int fd, struct tar_header_t* hp)
        xwrite(fd, hp, sizeof(*hp));
 }
+static void replace_symlink_placeholders(llist_t *list)
+{
+        while (list) {
+                char *target;
+                target = list->data + strlen(list->data) + 1;
+                if (symlink(target, list->data)) {
+                        /* shared message */
+                        bb_error_msg_and_die("can't create %slink '%s' to '%s'",
+                                "sym",
+                                list->data, target
+                        );
+                }
+                list = list->link;
+        }
+}
 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
 static void writeLongname(int fd, int type, const char *name, int dir)
 {
@@ -1252,6 +1251,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
        while (get_header_tar(tar_handle) == EXIT_SUCCESS)
                bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
+        replace_symlink_placeholders(tar_handle->symlink_placeholders);
        /* Check that every file that should have been extracted was */
        while (tar_handle->accept) {
                if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)
diff --git a/archival/tar_symlink_attack b/archival/tar_symlink_attack
new file mode 100755
index 000000000..35455f200
--- /dev/null
+++ b/archival/tar_symlink_attack
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Makes "symlink attack" tarball (needs GNU tar for --append)
+true >anything.txt
+tar cvf tar_symlink_attack.tar anything.txt
+rm anything.txt
+ln -s /tmp symlink
+tar --append -f tar_symlink_attack.tar symlink
+rm symlink
+mkdir symlink
+echo BUG >symlink/bb_test_evilfile
+tar --append -f tar_symlink_attack.tar symlink/bb_test_evilfile
+rm symlink/bb_test_evilfile
+rmdir symlink
diff --git a/coreutils/link.c b/coreutils/link.c
index 56832fdf6..6e20dafe3 100644
--- a/coreutils/link.c
+++ b/coreutils/link.c
@@ -33,7 +33,7 @@ int link_main(int argc UNUSED_PARAM, char **argv)
        if (link(argv[0], argv[1]) != 0) {
                /* shared message */
                bb_perror_msg_and_die("can't create %slink "
-                                        "%s to %s", "hard",
+                                        "'%s' to '%s'", "hard",
                                        argv[1], argv[0]
                );
        }
diff --git a/include/bb_archive.h b/include/bb_archive.h
index 2b9c5f04c..d3762415f 100644
--- a/include/bb_archive.h
+++ b/include/bb_archive.h
@@ -64,6 +64,9 @@ typedef struct archive_handle_t {
        /* Currently processed file's header */
        file_header_t *file_header;
+        /* List of symlink placeholders */
+        llist_t *symlink_placeholders;
        /* Process the header component, e.g. tar -t */
        void FAST_FUNC (*action_header)(const file_header_t *);
@@ -188,6 +191,7 @@ char get_header_ar(archive_handle_t *archive_handle) FAST_FUNC;
 char get_header_cpio(archive_handle_t *archive_handle) FAST_FUNC;
 char get_header_tar(archive_handle_t *archive_handle) FAST_FUNC;
 char get_header_tar_gz(archive_handle_t *archive_handle) FAST_FUNC;
+char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;
 char get_header_tar_bz2(archive_handle_t *archive_handle) FAST_FUNC;
 char get_header_tar_lzma(archive_handle_t *archive_handle) FAST_FUNC;
 char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;
diff --git a/testsuite/tar.tests b/testsuite/tar.tests
index 9f7ce1587..1675b07b1 100755
--- a/testsuite/tar.tests
+++ b/testsuite/tar.tests
@@ -10,9 +10,6 @@ unset LC_COLLATE
 unset LC_ALL
 umask 022
-rm -rf tar.tempdir 2>/dev/null
-mkdir tar.tempdir && cd tar.tempdir || exit 1
 # testing "test name" "script" "expected result" "file input" "stdin"
 testing "Empty file is not a tarball" '\
@@ -53,6 +50,7 @@ dd if=/dev/zero bs=512 count=20 2>/dev/null | tar xvf - 2>&1; echo $?
 "" ""
 SKIP=
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 # "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":
 # GNU tar 1.26 records as hardlinks:
 #  input_hard2 -> input_hard1
@@ -64,7 +62,6 @@ SKIP=
 # We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.
 optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
 testing "tar hardlinks and repeated files" '\
-rm -rf input_* test.tar 2>/dev/null
 >input_hard1
 ln input_hard1 input_hard2
 mkdir input_dir
@@ -95,10 +92,11 @@ drwxr-xr-x input_dir
 " \
 "" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
 testing "tar hardlinks mode" '\
-rm -rf input_* test.tar 2>/dev/null
 >input_hard1
 chmod 741 input_hard1
 ln input_hard1 input_hard2
@@ -128,10 +126,11 @@ Ok: 0
 " \
 "" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
 testing "tar symlinks mode" '\
-rm -rf input_* test.tar 2>/dev/null
 >input_file
 chmod 741 input_file
 ln -s input_file input_soft
@@ -159,10 +158,11 @@ lrwxrwxrwx input_file
 " \
 "" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS
 testing "tar --overwrite" "\
-rm -rf input_* test.tar 2>/dev/null
 ln input input_hard
 tar cf test.tar input_hard
 echo WRONG >input
@@ -174,12 +174,13 @@ Ok
 " \
 "Ok\n" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 test x"$SKIP_KNOWN_BUGS" = x"" && {
 # Needs to be run under non-root for meaningful test
 optional FEATURE_TAR_CREATE
 testing "tar writing into read-only dir" '\
-rm -rf input_* test.tar 2>/dev/null
 mkdir input_dir
 >input_dir/input_file
 chmod 550 input_dir
@@ -201,7 +202,9 @@ dr-xr-x--- input_dir
 "" ""
 SKIP=
 }
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 # Had a bug where on extract autodetect first "switched off" -z
 # and then failed to recognize .tgz extension
 optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP
@@ -217,7 +220,9 @@ Ok
 " \
 "" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 # Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?
 # (the uuencoded hello_world.txz contains one empty file named "hello_world")
 optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ
@@ -236,7 +241,9 @@ AAAEWVo=
 ====
 "
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 # On extract, everything up to and including last ".." component is stripped
 optional FEATURE_TAR_CREATE
 testing "tar strips /../ on extract" "\
@@ -255,7 +262,9 @@ Ok
 " \
 "" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 # attack.tar.bz2 has symlink pointing to a system file
 # followed by a regular file with the same name
 # containing "root::0:0::/root:/bin/sh":
@@ -270,6 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
 testing "tar does not extract into symlinks" "\
 >>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
 " "\
+tar: can't create symlink 'passwd' to '/tmp/passwd'
 0
 " \
 "" "\
@@ -281,12 +291,15 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
 ====
 "
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 # And same with -k
 optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
 testing "tar -k does not extract into symlinks" "\
 >>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
 " "\
-tar: can't open 'passwd': File exists
+tar: can't create symlink 'passwd' to '/tmp/passwd'
 0
 " \
 "" "\
@@ -298,7 +311,9 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
 ====
 "
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
 optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
 testing "Pax-encoded UTF8 names and symlinks" '\
 tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?
@@ -318,8 +333,36 @@ etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
 " \
 "" ""
 SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
-cd .. && rm -rf tar.tempdir || exit 1
+optional FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
+testing "Symlink attack: create symlink and then write through it" '\
+exec 2>&1
+uudecode -o input && tar xvf input; echo $?
+ls /tmp/bb_test_evilfile
+ls bb_test_evilfile
+ls symlink/bb_test_evilfile
+' "\
+anything.txt
+symlink
+symlink/bb_test_evilfile
+tar: can't create symlink 'symlink' to '/tmp'
+1
+ls: /tmp/bb_test_evilfile: No such file or directory
+ls: bb_test_evilfile: No such file or directory
+symlink/bb_test_evilfile
+" \
+"" "\
+begin-base64 644 tar_symlink_attack.tar.bz2
+QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR
+omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk
+AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa
+SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS
+n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA=
+====
+"
+SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
 exit $FAILCOUNT
author	Denys Vlasenko <vda.linux@googlemail.com>	2017-07-24 17:20:13 +0200
committer	Denys Vlasenko <vda.linux@googlemail.com>	2017-07-24 17:20:13 +0200
commit	b920a38dc0a87f5884444d4731a8b887b5e16018 (patch)
tree	5d845976a9471e705183db9afbbe7885e9070b52
parent	c810978552bc0133ba723ababaa178c8d53256e1 (diff)
download	busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.gz busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.bz2 busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.zip

diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c index 1830ffb8d..1ce927c2f 100644 --- a/archival/libarchive/data_extract_all.c +++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,11 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
128	res = link(hard_link, dst_name);	128	res = link(hard_link, dst_name);
129	if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {	129	if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
130	/* shared message */	130	/* shared message */
131	bb_perror_msg("can't create %slink "	131	bb_perror_msg("can't create %slink '%s' to '%s'",
132	"%s to %s", "hard",	132	"hard",
133	dst_name,	133	dst_name,
134	hard_link);	134	hard_link
		135	);
135	}	136	}
136	/* Hardlinks have no separate mode/ownership, skip chown/chmod */	137	/* Hardlinks have no separate mode/ownership, skip chown/chmod */
137	goto ret;	138	goto ret;
@@ -178,15 +179,44 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
178	case S_IFLNK:	179	case S_IFLNK:
179	/* Symlink */	180	/* Symlink */
180	//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)	181	//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
		182
		183	/* To avoid a directory traversal attack via symlinks,
		184	* for certain link targets postpone creation of symlinks.
		185	*
		186	* For example, consider a .tar created via:
		187	* $ tar cvf bug.tar anything.txt
		188	* $ ln -s /tmp symlink
		189	* $ tar --append -f bug.tar symlink
		190	* $ rm symlink
		191	* $ mkdir symlink
		192	* $ tar --append -f bug.tar symlink/evil.py
		193	*
		194	* This will result in an archive that contains:
		195	* $ tar --list -f bug.tar
		196	* anything.txt
		197	* symlink [-> /tmp]
		198	* symlink/evil.py
		199	*
		200	* Untarring bug.tar would otherwise place evil.py in '/tmp'.
		201	*/
		202	if (file_header->link_target[0] == '/'
		203	\|\| strstr(file_header->link_target, "..")
		204	) {
		205	llist_add_to(&archive_handle->symlink_placeholders,
		206	xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
		207	);
		208	break;
		209	}
181	res = symlink(file_header->link_target, dst_name);	210	res = symlink(file_header->link_target, dst_name);
182	if (res != 0	211	if (res != 0
183	&& !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)	212	&& !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
184	) {	213	) {
185	/* shared message */	214	/* shared message */
186	bb_perror_msg("can't create %slink "	215	bb_perror_msg("can't create %slink '%s' to '%s'",
187	"%s to %s", "sym",	216	"sym",
188	dst_name,	217	dst_name,
189	file_header->link_target);	218	file_header->link_target
		219	);
190	}	220	}
191	break;	221	break;
192	case S_IFSOCK:	222	case S_IFSOCK:


diff --git a/archival/tar.c b/archival/tar.c index 0fc574dfd..280ded4e1 100644 --- a/archival/tar.c +++ b/archival/tar.c
@@ -22,24 +22,6 @@
22	*	22	*
23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.	23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.
24	*/	24	*/
25	/* TODO: security with -C DESTDIR option can be enhanced.
26	* Consider tar file created via:
27	* $ tar cvf bug.tar anything.txt
28	* $ ln -s /tmp symlink
29	* $ tar --append -f bug.tar symlink
30	* $ rm symlink
31	* $ mkdir symlink
32	* $ tar --append -f bug.tar symlink/evil.py
33	*
34	* This will result in an archive which contains:
35	* $ tar --list -f bug.tar
36	* anything.txt
37	* symlink
38	* symlink/evil.py
39	*
40	* Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
41	* This doesn't feel right, and IIRC GNU tar doesn't do that.
42	*/
43		25
44	//config:config TAR	26	//config:config TAR
45	//config: bool "tar (40 kb)"	27	//config: bool "tar (40 kb)"
@@ -296,6 +278,23 @@ static void chksum_and_xwrite(int fd, struct tar_header_t* hp)
296	xwrite(fd, hp, sizeof(*hp));	278	xwrite(fd, hp, sizeof(*hp));
297	}	279	}
298		280
		281	static void replace_symlink_placeholders(llist_t *list)
		282	{
		283	while (list) {
		284	char *target;
		285
		286	target = list->data + strlen(list->data) + 1;
		287	if (symlink(target, list->data)) {
		288	/* shared message */
		289	bb_error_msg_and_die("can't create %slink '%s' to '%s'",
		290	"sym",
		291	list->data, target
		292	);
		293	}
		294	list = list->link;
		295	}
		296	}
		297
299	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS	298	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
300	static void writeLongname(int fd, int type, const char *name, int dir)	299	static void writeLongname(int fd, int type, const char *name, int dir)
301	{	300	{
@@ -1252,6 +1251,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
1252	while (get_header_tar(tar_handle) == EXIT_SUCCESS)	1251	while (get_header_tar(tar_handle) == EXIT_SUCCESS)
1253	bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */	1252	bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
1254		1253
		1254	replace_symlink_placeholders(tar_handle->symlink_placeholders);
		1255
1255	/* Check that every file that should have been extracted was */	1256	/* Check that every file that should have been extracted was */
1256	while (tar_handle->accept) {	1257	while (tar_handle->accept) {
1257	if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)	1258	if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)


diff --git a/archival/tar_symlink_attack b/archival/tar_symlink_attack new file mode 100755 index 000000000..35455f200 --- /dev/null +++ b/archival/tar_symlink_attack
@@ -0,0 +1,16 @@
		1	#!/bin/sh
		2	# Makes "symlink attack" tarball (needs GNU tar for --append)
		3
		4	true >anything.txt
		5	tar cvf tar_symlink_attack.tar anything.txt
		6	rm anything.txt
		7
		8	ln -s /tmp symlink
		9	tar --append -f tar_symlink_attack.tar symlink
		10	rm symlink
		11
		12	mkdir symlink
		13	echo BUG >symlink/bb_test_evilfile
		14	tar --append -f tar_symlink_attack.tar symlink/bb_test_evilfile
		15	rm symlink/bb_test_evilfile
		16	rmdir symlink


diff --git a/coreutils/link.c b/coreutils/link.c index 56832fdf6..6e20dafe3 100644 --- a/coreutils/link.c +++ b/coreutils/link.c
@@ -33,7 +33,7 @@ int link_main(int argc UNUSED_PARAM, char **argv)
33	if (link(argv[0], argv[1]) != 0) {	33	if (link(argv[0], argv[1]) != 0) {
34	/* shared message */	34	/* shared message */
35	bb_perror_msg_and_die("can't create %slink "	35	bb_perror_msg_and_die("can't create %slink "
36	"%s to %s", "hard",	36	"'%s' to '%s'", "hard",
37	argv[1], argv[0]	37	argv[1], argv[0]
38	);	38	);
39	}	39	}


diff --git a/include/bb_archive.h b/include/bb_archive.h index 2b9c5f04c..d3762415f 100644 --- a/include/bb_archive.h +++ b/include/bb_archive.h
@@ -64,6 +64,9 @@ typedef struct archive_handle_t {
64	/* Currently processed file's header */	64	/* Currently processed file's header */
65	file_header_t *file_header;	65	file_header_t *file_header;
66		66
		67	/* List of symlink placeholders */
		68	llist_t *symlink_placeholders;
		69
67	/* Process the header component, e.g. tar -t */	70	/* Process the header component, e.g. tar -t */
68	void FAST_FUNC (action_header)(const file_header_t );	71	void FAST_FUNC (action_header)(const file_header_t );
69		72
@@ -188,6 +191,7 @@ char get_header_ar(archive_handle_t *archive_handle) FAST_FUNC;
188	char get_header_cpio(archive_handle_t *archive_handle) FAST_FUNC;	191	char get_header_cpio(archive_handle_t *archive_handle) FAST_FUNC;
189	char get_header_tar(archive_handle_t *archive_handle) FAST_FUNC;	192	char get_header_tar(archive_handle_t *archive_handle) FAST_FUNC;
190	char get_header_tar_gz(archive_handle_t *archive_handle) FAST_FUNC;	193	char get_header_tar_gz(archive_handle_t *archive_handle) FAST_FUNC;
		194	char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;
191	char get_header_tar_bz2(archive_handle_t *archive_handle) FAST_FUNC;	195	char get_header_tar_bz2(archive_handle_t *archive_handle) FAST_FUNC;
192	char get_header_tar_lzma(archive_handle_t *archive_handle) FAST_FUNC;	196	char get_header_tar_lzma(archive_handle_t *archive_handle) FAST_FUNC;
193	char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;	197	char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;


diff --git a/testsuite/tar.tests b/testsuite/tar.tests index 9f7ce1587..1675b07b1 100755 --- a/testsuite/tar.tests +++ b/testsuite/tar.tests
@@ -10,9 +10,6 @@ unset LC_COLLATE
10	unset LC_ALL	10	unset LC_ALL
11	umask 022	11	umask 022
12		12
13	rm -rf tar.tempdir 2>/dev/null
14	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
15
16	# testing "test name" "script" "expected result" "file input" "stdin"	13	# testing "test name" "script" "expected result" "file input" "stdin"
17		14
18	testing "Empty file is not a tarball" '\	15	testing "Empty file is not a tarball" '\
@@ -53,6 +50,7 @@ dd if=/dev/zero bs=512 count=20 2>/dev/null \| tar xvf - 2>&1; echo $?
53	"" ""	50	"" ""
54	SKIP=	51	SKIP=
55		52
		53	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
56	# "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":	54	# "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":
57	# GNU tar 1.26 records as hardlinks:	55	# GNU tar 1.26 records as hardlinks:
58	# input_hard2 -> input_hard1	56	# input_hard2 -> input_hard1
@@ -64,7 +62,6 @@ SKIP=
64	# We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.	62	# We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.
65	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES	63	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
66	testing "tar hardlinks and repeated files" '\	64	testing "tar hardlinks and repeated files" '\
67	rm -rf input_* test.tar 2>/dev/null
68	>input_hard1	65	>input_hard1
69	ln input_hard1 input_hard2	66	ln input_hard1 input_hard2
70	mkdir input_dir	67	mkdir input_dir
@@ -95,10 +92,11 @@ drwxr-xr-x input_dir
95	" \	92	" \
96	"" ""	93	"" ""
97	SKIP=	94	SKIP=
		95	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
98		96
		97	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
99	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES	98	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
100	testing "tar hardlinks mode" '\	99	testing "tar hardlinks mode" '\
101	rm -rf input_* test.tar 2>/dev/null
102	>input_hard1	100	>input_hard1
103	chmod 741 input_hard1	101	chmod 741 input_hard1
104	ln input_hard1 input_hard2	102	ln input_hard1 input_hard2
@@ -128,10 +126,11 @@ Ok: 0
128	" \	126	" \
129	"" ""	127	"" ""
130	SKIP=	128	SKIP=
		129	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
131		130
		131	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
132	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES	132	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
133	testing "tar symlinks mode" '\	133	testing "tar symlinks mode" '\
134	rm -rf input_* test.tar 2>/dev/null
135	>input_file	134	>input_file
136	chmod 741 input_file	135	chmod 741 input_file
137	ln -s input_file input_soft	136	ln -s input_file input_soft
@@ -159,10 +158,11 @@ lrwxrwxrwx input_file
159	" \	158	" \
160	"" ""	159	"" ""
161	SKIP=	160	SKIP=
		161	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
162		162
		163	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
163	optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS	164	optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS
164	testing "tar --overwrite" "\	165	testing "tar --overwrite" "\
165	rm -rf input_* test.tar 2>/dev/null
166	ln input input_hard	166	ln input input_hard
167	tar cf test.tar input_hard	167	tar cf test.tar input_hard
168	echo WRONG >input	168	echo WRONG >input
@@ -174,12 +174,13 @@ Ok
174	" \	174	" \
175	"Ok\n" ""	175	"Ok\n" ""
176	SKIP=	176	SKIP=
		177	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
177		178
		179	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
178	test x"$SKIP_KNOWN_BUGS" = x"" && {	180	test x"$SKIP_KNOWN_BUGS" = x"" && {
179	# Needs to be run under non-root for meaningful test	181	# Needs to be run under non-root for meaningful test
180	optional FEATURE_TAR_CREATE	182	optional FEATURE_TAR_CREATE
181	testing "tar writing into read-only dir" '\	183	testing "tar writing into read-only dir" '\
182	rm -rf input_* test.tar 2>/dev/null
183	mkdir input_dir	184	mkdir input_dir
184	>input_dir/input_file	185	>input_dir/input_file
185	chmod 550 input_dir	186	chmod 550 input_dir
@@ -201,7 +202,9 @@ dr-xr-x--- input_dir
201	"" ""	202	"" ""
202	SKIP=	203	SKIP=
203	}	204	}
		205	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
204		206
		207	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
205	# Had a bug where on extract autodetect first "switched off" -z	208	# Had a bug where on extract autodetect first "switched off" -z
206	# and then failed to recognize .tgz extension	209	# and then failed to recognize .tgz extension
207	optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP	210	optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP
@@ -217,7 +220,9 @@ Ok
217	" \	220	" \
218	"" ""	221	"" ""
219	SKIP=	222	SKIP=
		223	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
220		224
		225	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
221	# Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?	226	# Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?
222	# (the uuencoded hello_world.txz contains one empty file named "hello_world")	227	# (the uuencoded hello_world.txz contains one empty file named "hello_world")
223	optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ	228	optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ
@@ -236,7 +241,9 @@ AAAEWVo=
236	====	241	====
237	"	242	"
238	SKIP=	243	SKIP=
		244	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
239		245
		246	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
240	# On extract, everything up to and including last ".." component is stripped	247	# On extract, everything up to and including last ".." component is stripped
241	optional FEATURE_TAR_CREATE	248	optional FEATURE_TAR_CREATE
242	testing "tar strips /../ on extract" "\	249	testing "tar strips /../ on extract" "\
@@ -255,7 +262,9 @@ Ok
255	" \	262	" \
256	"" ""	263	"" ""
257	SKIP=	264	SKIP=
		265	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
258		266
		267	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
259	# attack.tar.bz2 has symlink pointing to a system file	268	# attack.tar.bz2 has symlink pointing to a system file
260	# followed by a regular file with the same name	269	# followed by a regular file with the same name
261	# containing "root::0:0::/root:/bin/sh":	270	# containing "root::0:0::/root:/bin/sh":
@@ -270,6 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
270	testing "tar does not extract into symlinks" "\	279	testing "tar does not extract into symlinks" "\
271	>>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?	280	>>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
272	" "\	281	" "\
		282	tar: can't create symlink 'passwd' to '/tmp/passwd'
273	0	283	0
274	" \	284	" \
275	"" "\	285	"" "\
@@ -281,12 +291,15 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
281	====	291	====
282	"	292	"
283	SKIP=	293	SKIP=
		294	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		295
		296	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
284	# And same with -k	297	# And same with -k
285	optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2	298	optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
286	testing "tar -k does not extract into symlinks" "\	299	testing "tar -k does not extract into symlinks" "\
287	>>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?	300	>>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
288	" "\	301	" "\
289	tar: can't open 'passwd': File exists	302	tar: can't create symlink 'passwd' to '/tmp/passwd'
290	0	303	0
291	" \	304	" \
292	"" "\	305	"" "\
@@ -298,7 +311,9 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
298	====	311	====
299	"	312	"
300	SKIP=	313	SKIP=
		314	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
301		315
		316	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
302	optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT	317	optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
303	testing "Pax-encoded UTF8 names and symlinks" '\	318	testing "Pax-encoded UTF8 names and symlinks" '\
304	tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?	319	tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?
@@ -318,8 +333,36 @@ etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
318	" \	333	" \
319	"" ""	334	"" ""
320	SKIP=	335	SKIP=
		336	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
321		337
322		338	mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
323	cd .. && rm -rf tar.tempdir \|\| exit 1	339	optional FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
		340	testing "Symlink attack: create symlink and then write through it" '\
		341	exec 2>&1
		342	uudecode -o input && tar xvf input; echo $?
		343	ls /tmp/bb_test_evilfile
		344	ls bb_test_evilfile
		345	ls symlink/bb_test_evilfile
		346	' "\
		347	anything.txt
		348	symlink
		349	symlink/bb_test_evilfile
		350	tar: can't create symlink 'symlink' to '/tmp'
		351	1
		352	ls: /tmp/bb_test_evilfile: No such file or directory
		353	ls: bb_test_evilfile: No such file or directory
		354	symlink/bb_test_evilfile
		355	" \
		356	"" "\
		357	begin-base64 644 tar_symlink_attack.tar.bz2
		358	QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR
		359	omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk
		360	AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa
		361	SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS
		362	n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA=
		363	====
		364	"
		365	SKIP=
		366	cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
324		367
325	exit $FAILCOUNT	368	exit $FAILCOUNT