[Bug 10651] New: tar: check for unsafe symlinks is overly strict
bugzilla at busybox.net
bugzilla at busybox.net
Sun Jan 14 14:54:06 UTC 2018
https://bugs.busybox.net/show_bug.cgi?id=10651
Bug ID: 10651
Summary: tar: check for unsafe symlinks is overly strict
Product: Busybox
Version: 1.28.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: bb at gigawatt.nl
CC: busybox-cvs at busybox.net
Target Milestone: ---
To counter bug #8411, busybox tar no longer allows unsafe symlinks to be
created. Unfortunately, it is now so strict that safe symlinks are no longer
accepted either. Ironically, the very first failure that I got after upgrading
to busybox 1.28 was for a tarball containing along with other files:
bin/busybox
usr/bin/ar -> ../../bin/busybox
At the very least, symlinks to files are safe no matter what they start with.
There was no need to block this. It cannot be used to modify any files
inappropriately by tar, because a subsequent attempt to extract there would
delete the symlink before creating the file.
But actually, I think the whole logic for checking unsafe symlinks is
unnecessary. It's not the symlink that's unsafe, it's a subsequent attempt to
use that symlink to create or overwrite a file where the user shouldn't be able
to modify anything. The initial patch handled this for extraction into empty
directories by delaying the symlink creation. This is sufficient if the pattern
is 1) create temp directory 2) extract into temp directory 3) validate contents
of temp directory 4) remove temp directory if contents are invalid.
But indeed, this is not enough if multiple untrusted tarballs are extracted
into the same directory. I do not know if that is supposed to be safe. It
currently isn't with GNU tar, but it may be reasonable to expect that to be
safe.
One way to handle that would be, on an attempt to extract a/b/c, to require
that a and a/b are truly directories, not symlinks. This is doable by using
openat(), opening all path components individually with O_NOFOLLOW. This way,
if any component is a symlink, an error is raised. If the path components are
cached, then for the common case where a large number of files appear in the
same directory, it might even reduce path lookups.
Would something like this be acceptable, or does this have other security
implications that I'm not seeing?
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list