tar: postpone creation of symlinks with "suspicious" targets. Closes 8411

function old new delta data_extract_all 968 1038 +70 tar_main 952 986 +34 scan_tree 258 262 +4 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 3/0 up/down: 108/0) Total: 108 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2017-07-24 17:20:13 +0200
committer: Denys Vlasenko <vda.linux@googlemail.com> 2017-07-24 17:20:13 +0200
commit: b920a38dc0a87f5884444d4731a8b887b5e16018 (patch)
tree: 5d845976a9471e705183db9afbbe7885e9070b52 /archival
parent: c810978552bc0133ba723ababaa178c8d53256e1 (diff)
download: busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.gz
busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.bz2
busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.zip
3 files changed, 71 insertions, 24 deletions
diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
index 1830ffb8d..1ce927c2f 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,11 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
                res = link(hard_link, dst_name);
                if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
                        /* shared message */
-                        bb_perror_msg("can't create %slink "
+                        bb_perror_msg("can't create %slink '%s' to '%s'",
-                                        "%s to %s", "hard",
+                                        "hard",
                                        dst_name,
-                                        hard_link);
+                                        hard_link
+                        );
                }
                /* Hardlinks have no separate mode/ownership, skip chown/chmod */
                goto ret;
@@ -178,15 +179,44 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
        case S_IFLNK:
                /* Symlink */
 //TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
+                /* To avoid a directory traversal attack via symlinks,
+                 * for certain link targets postpone creation of symlinks.
+                 *
+                 * For example, consider a .tar created via:
+                 *  $ tar cvf bug.tar anything.txt
+                 *  $ ln -s /tmp symlink
+                 *  $ tar --append -f bug.tar symlink
+                 *  $ rm symlink
+                 *  $ mkdir symlink
+                 *  $ tar --append -f bug.tar symlink/evil.py
+                 *
+                 * This will result in an archive that contains:
+                 *  $ tar --list -f bug.tar
+                 *  anything.txt
+                 *  symlink [-> /tmp]
+                 *  symlink/evil.py
+                 *
+                 * Untarring bug.tar would otherwise place evil.py in '/tmp'.
+                 */
+                if (file_header->link_target[0] == '/'
+                 || strstr(file_header->link_target, "..")
+                ) {
+                        llist_add_to(&archive_handle->symlink_placeholders,
+                                xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
+                        );
+                        break;
+                }
                res = symlink(file_header->link_target, dst_name);
                if (res != 0
                 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
                ) {
                        /* shared message */
-                        bb_perror_msg("can't create %slink "
+                        bb_perror_msg("can't create %slink '%s' to '%s'",
-                                "%s to %s", "sym",
+                                "sym",
                                dst_name,
-                                file_header->link_target);
+                                file_header->link_target
+                        );
                }
                break;
        case S_IFSOCK:
diff --git a/archival/tar.c b/archival/tar.c
index 0fc574dfd..280ded4e1 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -22,24 +22,6 @@
 *
 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
 */
-/* TODO: security with -C DESTDIR option can be enhanced.
- * Consider tar file created via:
- * $ tar cvf bug.tar anything.txt
- * $ ln -s /tmp symlink
- * $ tar --append -f bug.tar symlink
- * $ rm symlink
- * $ mkdir symlink
- * $ tar --append -f bug.tar symlink/evil.py
- *
- * This will result in an archive which contains:
- * $ tar --list -f bug.tar
- * anything.txt
- * symlink
- * symlink/evil.py
- *
- * Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
- * This doesn't feel right, and IIRC GNU tar doesn't do that.
- */
 //config:config TAR
 //config:       bool "tar (40 kb)"
@@ -296,6 +278,23 @@ static void chksum_and_xwrite(int fd, struct tar_header_t* hp)
        xwrite(fd, hp, sizeof(*hp));
 }
+static void replace_symlink_placeholders(llist_t *list)
+{
+        while (list) {
+                char *target;
+                target = list->data + strlen(list->data) + 1;
+                if (symlink(target, list->data)) {
+                        /* shared message */
+                        bb_error_msg_and_die("can't create %slink '%s' to '%s'",
+                                "sym",
+                                list->data, target
+                        );
+                }
+                list = list->link;
+        }
+}
 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
 static void writeLongname(int fd, int type, const char *name, int dir)
 {
@@ -1252,6 +1251,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
        while (get_header_tar(tar_handle) == EXIT_SUCCESS)
                bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
+        replace_symlink_placeholders(tar_handle->symlink_placeholders);
        /* Check that every file that should have been extracted was */
        while (tar_handle->accept) {
                if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)
diff --git a/archival/tar_symlink_attack b/archival/tar_symlink_attack
new file mode 100755
index 000000000..35455f200
--- /dev/null
+++ b/archival/tar_symlink_attack
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Makes "symlink attack" tarball (needs GNU tar for --append)
+true >anything.txt
+tar cvf tar_symlink_attack.tar anything.txt
+rm anything.txt
+ln -s /tmp symlink
+tar --append -f tar_symlink_attack.tar symlink
+rm symlink
+mkdir symlink
+echo BUG >symlink/bb_test_evilfile
+tar --append -f tar_symlink_attack.tar symlink/bb_test_evilfile
+rm symlink/bb_test_evilfile
+rmdir symlink
author	Denys Vlasenko <vda.linux@googlemail.com>	2017-07-24 17:20:13 +0200
committer	Denys Vlasenko <vda.linux@googlemail.com>	2017-07-24 17:20:13 +0200
commit	b920a38dc0a87f5884444d4731a8b887b5e16018 (patch)
tree	5d845976a9471e705183db9afbbe7885e9070b52 /archival
parent	c810978552bc0133ba723ababaa178c8d53256e1 (diff)
download	busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.gz busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.tar.bz2 busybox-w32-b920a38dc0a87f5884444d4731a8b887b5e16018.zip

diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c index 1830ffb8d..1ce927c2f 100644 --- a/archival/libarchive/data_extract_all.c +++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,11 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
128	res = link(hard_link, dst_name);	128	res = link(hard_link, dst_name);
129	if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {	129	if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
130	/* shared message */	130	/* shared message */
131	bb_perror_msg("can't create %slink "	131	bb_perror_msg("can't create %slink '%s' to '%s'",
132	"%s to %s", "hard",	132	"hard",
133	dst_name,	133	dst_name,
134	hard_link);	134	hard_link
		135	);
135	}	136	}
136	/* Hardlinks have no separate mode/ownership, skip chown/chmod */	137	/* Hardlinks have no separate mode/ownership, skip chown/chmod */
137	goto ret;	138	goto ret;
@@ -178,15 +179,44 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
178	case S_IFLNK:	179	case S_IFLNK:
179	/* Symlink */	180	/* Symlink */
180	//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)	181	//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
		182
		183	/* To avoid a directory traversal attack via symlinks,
		184	* for certain link targets postpone creation of symlinks.
		185	*
		186	* For example, consider a .tar created via:
		187	* $ tar cvf bug.tar anything.txt
		188	* $ ln -s /tmp symlink
		189	* $ tar --append -f bug.tar symlink
		190	* $ rm symlink
		191	* $ mkdir symlink
		192	* $ tar --append -f bug.tar symlink/evil.py
		193	*
		194	* This will result in an archive that contains:
		195	* $ tar --list -f bug.tar
		196	* anything.txt
		197	* symlink [-> /tmp]
		198	* symlink/evil.py
		199	*
		200	* Untarring bug.tar would otherwise place evil.py in '/tmp'.
		201	*/
		202	if (file_header->link_target[0] == '/'
		203	\|\| strstr(file_header->link_target, "..")
		204	) {
		205	llist_add_to(&archive_handle->symlink_placeholders,
		206	xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
		207	);
		208	break;
		209	}
181	res = symlink(file_header->link_target, dst_name);	210	res = symlink(file_header->link_target, dst_name);
182	if (res != 0	211	if (res != 0
183	&& !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)	212	&& !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
184	) {	213	) {
185	/* shared message */	214	/* shared message */
186	bb_perror_msg("can't create %slink "	215	bb_perror_msg("can't create %slink '%s' to '%s'",
187	"%s to %s", "sym",	216	"sym",
188	dst_name,	217	dst_name,
189	file_header->link_target);	218	file_header->link_target
		219	);
190	}	220	}
191	break;	221	break;
192	case S_IFSOCK:	222	case S_IFSOCK:


diff --git a/archival/tar.c b/archival/tar.c index 0fc574dfd..280ded4e1 100644 --- a/archival/tar.c +++ b/archival/tar.c
@@ -22,24 +22,6 @@
22	*	22	*
23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.	23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.
24	*/	24	*/
25	/* TODO: security with -C DESTDIR option can be enhanced.
26	* Consider tar file created via:
27	* $ tar cvf bug.tar anything.txt
28	* $ ln -s /tmp symlink
29	* $ tar --append -f bug.tar symlink
30	* $ rm symlink
31	* $ mkdir symlink
32	* $ tar --append -f bug.tar symlink/evil.py
33	*
34	* This will result in an archive which contains:
35	* $ tar --list -f bug.tar
36	* anything.txt
37	* symlink
38	* symlink/evil.py
39	*
40	* Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
41	* This doesn't feel right, and IIRC GNU tar doesn't do that.
42	*/
43		25
44	//config:config TAR	26	//config:config TAR
45	//config: bool "tar (40 kb)"	27	//config: bool "tar (40 kb)"
@@ -296,6 +278,23 @@ static void chksum_and_xwrite(int fd, struct tar_header_t* hp)
296	xwrite(fd, hp, sizeof(*hp));	278	xwrite(fd, hp, sizeof(*hp));
297	}	279	}
298		280
		281	static void replace_symlink_placeholders(llist_t *list)
		282	{
		283	while (list) {
		284	char *target;
		285
		286	target = list->data + strlen(list->data) + 1;
		287	if (symlink(target, list->data)) {
		288	/* shared message */
		289	bb_error_msg_and_die("can't create %slink '%s' to '%s'",
		290	"sym",
		291	list->data, target
		292	);
		293	}
		294	list = list->link;
		295	}
		296	}
		297
299	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS	298	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
300	static void writeLongname(int fd, int type, const char *name, int dir)	299	static void writeLongname(int fd, int type, const char *name, int dir)
301	{	300	{
@@ -1252,6 +1251,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
1252	while (get_header_tar(tar_handle) == EXIT_SUCCESS)	1251	while (get_header_tar(tar_handle) == EXIT_SUCCESS)
1253	bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */	1252	bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
1254		1253
		1254	replace_symlink_placeholders(tar_handle->symlink_placeholders);
		1255
1255	/* Check that every file that should have been extracted was */	1256	/* Check that every file that should have been extracted was */
1256	while (tar_handle->accept) {	1257	while (tar_handle->accept) {
1257	if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)	1258	if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)


diff --git a/archival/tar_symlink_attack b/archival/tar_symlink_attack new file mode 100755 index 000000000..35455f200 --- /dev/null +++ b/archival/tar_symlink_attack
@@ -0,0 +1,16 @@
		1	#!/bin/sh
		2	# Makes "symlink attack" tarball (needs GNU tar for --append)
		3
		4	true >anything.txt
		5	tar cvf tar_symlink_attack.tar anything.txt
		6	rm anything.txt
		7
		8	ln -s /tmp symlink
		9	tar --append -f tar_symlink_attack.tar symlink
		10	rm symlink
		11
		12	mkdir symlink
		13	echo BUG >symlink/bb_test_evilfile
		14	tar --append -f tar_symlink_attack.tar symlink/bb_test_evilfile
		15	rm symlink/bb_test_evilfile
		16	rmdir symlink