Bug 2249901 (CVE-2023-7216)
| Summary: | CVE-2023-7216 CPIO: extraction allows symlinks which enables Remote Command Execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, mrehak, mschorm, pdelbell, prodsec-ir-bot, samueloph, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | Flags: | mschorm:
needinfo?
(ntait) mschorm: needinfo? (prodsec-ir-bot) |
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2249902, 2255242 | ||
|
Description
Nick Tait
2023-11-15 20:50:58 UTC
This attack requires to social engineer the user to open the cpio archive, impact of this is moderate. *** Bug 2255243 has been marked as a duplicate of this bug. *** Looks very similar to CVE-2015-1197 - https://bugzilla.redhat.com/show_bug.cgi?id=1179773 There is a question in upstream list about this CVE in https://lists.gnu.org/archive/html/bug- cpio/2024-02/msg00000.html Marian, can you help with this question? Corrected link is https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg00000.html https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html CVE-2023-7216 has been rejected by the upstream community , cpio maintainer don't think it's a bug. Is the Red Hat community considering marking CVE-2023-7216 as rejected on NVD? I see no difference between this CVE-2023-7216 and the CVE-2015-1197. Both CVEs are about the same thing: escaping the directory tree the archive is extracted in. The way the reproducer is constructed is a bit different but from what I can tell it results in the same principle. I've made an extensive summary of the CVE-2015-1197 here: https://bugzilla.redhat.com/show_bug.cgi?id=1179773#c8 I don't understand why this CVE is rated 'moderate' (was even 'high' for a while), while the CVE-2015-1197 is rated 'low'. After 8 years, the upstream created a fix for the cpio '--no-absolute-filenames' option, so it now prevents the attack. Other than that the upstream rejected this CVE, stating to use the fixed '--no-absolute-filenames' option, which entirely prevents it. As I've pointed out in the CVE-2015-1197, we haven't fixed even that in RHEL 7, 8, 9. And it doesn't seem to be a problem, at least as far as I can tell. I believe these two CVEs are the exact same, only revived few years later. As it wasn't a problem with the CVE-2015-1197, I strongly suggest to use the same resolution. Which is: - lower the CVE severity to 'low' - close as 'WON'T FIX' The RHEL 10 will likely be the first RHEL distribution containing the fix. |