Bug 1765511 (CVE-2019-14866)
Summary: | CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Riccardo Schirone <rschiron> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | databases-maint, kdudka, odubaj, ovasik, panovotn, pkubat, praiskup, tomm.momi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 21:58:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1766222, 1766223, 1766234, 2021589 | ||
Bug Blocks: | 1754449 |
Description
Riccardo Schirone
2019-10-25 09:51:33 UTC
Mitigation: TAR archives should be inspected before being extracted and the extraction should be performed with the `tar` command or `--no-absolute-filenames` option if done with `cpio`. Moreover, it should be performed by a low-privilege user whenever possible, to prevent extraction of files that could compromise the system. Acknowledgments: Name: Thomas Habets Created cpio tracking bugs for this issue: Affects: fedora-all [bug 1766234] In function tar.c:write_out_tar_header() some fields are written in octal digits in the TAR header. Among them, the "file size" field is written but only 12 bytes are available in the buffer for the resulting octal digits. When the file size of the input file is greater than the maximum number that could be written with 11 octal digits (12 - 1 for the null byte), no checks are performed to detect this case and an unexpected TAR file is generated, containing the files extracted from the input file. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3908 https://access.redhat.com/errata/RHSA-2020:3908 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14866 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1582 https://access.redhat.com/errata/RHSA-2021:1582 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0073 https://access.redhat.com/errata/RHSA-2022:0073 |