diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2019-11-03 17:31:37 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2019-11-03 17:40:03 +0200 |
commit | 45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca (patch) | |
tree | 7f0251e6df12aadae7c6779bc7cacf2da8254bac | |
parent | 3177d660a4c62a6acb538b0f7c54ba423698889a (diff) | |
download | cpio-45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca.tar.gz cpio-45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca.tar.bz2 |
Fix CVE-2015-1197
* src/copyin.c (copyin_link): Force safer name suffix for symbolic links.
* tests/CVE-2015-1197.at: New file.
* tests/Makefile.am: Add new test case.
* tests/testsuite.at: Likewise.
-rw-r--r-- | src/copyin.c | 5 | ||||
-rw-r--r-- | tests/CVE-2015-1197.at | 43 | ||||
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/testsuite.at | 2 |
4 files changed, 50 insertions, 3 deletions
diff --git a/src/copyin.c b/src/copyin.c index 63541eb..7cdfda3 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -645,13 +645,14 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) link_name = xstrdup (file_hdr->c_tar_linkname); } + cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); if (res < 0 && create_dir_flag) { create_all_directories (file_hdr->c_name); - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, - file_hdr->c_mode); + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); } if (res < 0) { diff --git a/tests/CVE-2015-1197.at b/tests/CVE-2015-1197.at new file mode 100644 index 0000000..6079af7 --- /dev/null +++ b/tests/CVE-2015-1197.at @@ -0,0 +1,43 @@ +# Process this file with autom4te to create testsuite. -*- Autotest -*- +# Copyright (C) 2009-2019 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) +AT_CHECK([ +tempdir=$(pwd)/tmp +mkdir $tempdir +touch $tempdir/file +ln -s $tempdir dir +AT_DATA([filelist], +[dir +dir/file +]) +ln -s /tmp dir +touch /tmp/file +cpio -o < filelist > test.cpio +rm dir /tmp/file +cpio --no-absolute-filenames -iv < test.cpio +], +[2], +[], +[1 block +cpio: Removing leading `/' from hard link targets +dir +cpio: dir/file: Cannot open: No such file or directory +dir/file +1 block +]) +AT_CLEANUP + diff --git a/tests/Makefile.am b/tests/Makefile.am index 65acb46..5b8e9ed 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -56,7 +56,8 @@ TESTSUITE_AT = \ symlink-long.at\ symlink-to-stdout.at\ version.at\ - big-block-size.at + big-block-size.at\ + CVE-2015-1197.at TESTSUITE = $(srcdir)/testsuite diff --git a/tests/testsuite.at b/tests/testsuite.at index 644ada0..10cb8b9 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -43,3 +43,5 @@ m4_include([setstat03.at]) m4_include([setstat04.at]) m4_include([setstat05.at]) m4_include([big-block-size.at]) + +m4_include([CVE-2015-1197.at]) |