Red Hat Bugzilla – Bug 156314
CAN-2005-1229 cpio directory traversal issue
Last modified: 2007-11-30 17:11:05 EST
+++ This bug was initially created as a clone of Bug #156313 +++
Directory traversal vulnerability in cpio 2.6 and earlier allows remote
attackers to write to arbitrary directories via a .. (dot dot) in a cpio file.
Created attachment 114202 [details]
fix candidate for devel, it needs more tests
when --no-absolute-filenames used, it skip members with '..' in name(include
Should be there a new option to disallow '..' by default,
or disallow '..' when --no-absolute-filenames used?
I would like to know which variant is the best one.
I think it would be better to disallow absolute filenames by default and have an
option to enable them. This is what tar does. It will strip out /../ unless
you tell it not to.
Created attachment 114460 [details]
new patch from ALT Linux, i use it for devel
A minor issue. cpio.texi does not reflect changes in options semantics;
only cpio.info is patched.