Bug 1539685 (CVE-2017-7516)

Summary: CVE-2017-7516 cpio: --no-absolute-filenames bypass via symlinks
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, cbuissar, databases-maint, dmoppert, hhorak, kdudka, ovasik, praiskup, tomm.momi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A vulnerability was identified in the GNU cpio package where the --no-absolute-filenames option, intended to restrict extraction to the current directory, can be bypassed using crafted symlinks. During extraction, cpio will first create the symlink and then follow it for subsequent entries, allowing a malicious archive to write files outside the intended directory (e.g., /tmp/file). An attacker could exploit this by tricking a user, into extracting such an archive, potentially leading to arbitrary file creation, privilege escalation, or data corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-23 11:55:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1188590, 1539687, 1539688    
Bug Blocks: 1458829    

Description Cedric Buissart 2018-01-29 12:44:53 UTC 
Note: this bug is actually a duplicate of CVE-2015-1197. See CVE-2015-1197 for information regarding this.

A possible --no-absolute-filenames bypass while extracting a malicious archive in cpio. This allows for arbitrary file creation.
Comment 1 Cedric Buissart 2018-01-29 12:46:21 UTC 
External References:

http://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html
Comment 2 Cedric Buissart 2018-01-29 12:54:18 UTC 
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 1539688]
Comment 4 Adam Mariš 2018-01-29 15:24:37 UTC 
Acknowledgments:

Name: Cedric Buissart (Red Hat)
Comment 6 Salvatore Bonaccorso 2018-02-18 21:30:48 UTC 
Hi Cedric,

Isn't that a duplicate of CVE-2015-1197?

Regards,
Salvatore
Comment 7 Salvatore Bonaccorso 2018-02-18 21:45:20 UTC 
Sorry to be more specific, there are references in the MITRE entry at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 . 

https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html

Was posted on the cpio bug list, but I think it never got a reply. Several distributions seem to have then applied the patch from SuSE (at least in Debian, SUSE, Ubuntu, Mageia).

Regards,
Salvatore
Comment 8 Salvatore Bonaccorso 2018-02-20 05:45:31 UTC 
Hi Doran, hi Cedric

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7516 has been updated.

Regards,
Salvatore
Comment 9 Cedric Buissart 2018-02-23 11:55:28 UTC 
Hi Salvatore,
Ouch ... thanks! I had missed it :(
Comment 10 Cedric Buissart 2018-03-13 11:43:09 UTC 

*** This bug has been marked as a duplicate of bug 1179773 ***