Bug 1765511 (CVE-2019-14866) - CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation
Summary: CVE-2019-14866 cpio: improper input validation when writing tar header fields...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1766222 1766223 1766234 2021589
Blocks: 1754449
TreeView+ depends on / blocked
 
Reported: 2019-10-25 09:51 UTC by Riccardo Schirone
Modified: 2023-12-15 16:52 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:58:42 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3908 0 None None None 2020-09-29 19:45:46 UTC
Red Hat Product Errata RHSA-2022:0073 0 None None None 2022-01-11 16:26:17 UTC

Description Riccardo Schirone 2019-10-25 09:51:33 UTC 
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.

References:
https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html

Proposed patch:
https://cement.retrofitta.se/tmp/cpio-tar.patch
Comment 1 Riccardo Schirone 2019-10-25 10:11:24 UTC 
Mitigation:

TAR archives should be inspected before being extracted and the extraction should be performed with the `tar` command or `--no-absolute-filenames` option if done with `cpio`. Moreover, it should be performed by a low-privilege user whenever possible, to prevent extraction of files that could compromise the system.
Comment 4 Riccardo Schirone 2019-10-28 15:27:44 UTC 
Acknowledgments:

Name: Thomas Habets
Comment 7 Riccardo Schirone 2019-10-28 15:56:47 UTC 
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 1766234]
Comment 8 Riccardo Schirone 2019-10-29 09:17:22 UTC 
In function tar.c:write_out_tar_header() some fields are written in octal digits in the TAR header. Among them, the "file size" field is written but only 12 bytes are available in the buffer for the resulting octal digits. When the file size of the input file is greater than the maximum number that could be written with 11 octal digits (12 - 1 for the null byte), no checks are performed to detect this case and an unexpected TAR file is generated, containing the files extracted from the input file.
Comment 11 errata-xmlrpc 2020-09-29 19:45:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3908 https://access.redhat.com/errata/RHSA-2020:3908
Comment 12 Product Security DevOps Team 2020-09-29 21:58:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14866
Comment 13 errata-xmlrpc 2021-05-18 13:24:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1582 https://access.redhat.com/errata/RHSA-2021:1582
Comment 15 errata-xmlrpc 2022-01-11 16:26:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0073 https://access.redhat.com/errata/RHSA-2022:0073
Note You need to log in before you can comment on or make changes to this bug.