Patches are now available for 5.6 and 5.7 which fix security issues
in the combined tar, pax, and cpio program's handling of malicious
archives, as well as archives with large pax extension headers.
Our thanks to Daniel Cegielka for reporting this.
Note that the patches for 5.6 and 5.7 have several differences, so be
sure to download the correct version.
Links:
http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/024_tar.patch.sig
and
http://www.openbsd.org/errata57.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/007_tar.patch.sig
OpenBSD 5.7 errata 7, Apr 30, 2015:
tar/pax/cpio had multiple issues:
* extracting a malicious archive could create files outside of the
current directory without using pre-existing symlinks to 'escape',
and could change the timestamps and modes on preexisting files
* tar without -P would permit extraction of paths with ".." components
* there was a buffer overflow in the handling of pax extension headers,
Apply by doing:
cd /usr/src
signify -Vep /etc/signify/openbsd-57-base.pub -x 007_tar.patch.sig -m - | \
patch -p0
Then build and install pax:
cd /usr/src/bin/pax
make obj
make
make install
Index: bin/pax/ar_subs.c
===================================================================
RCS file: /cvs/src/bin/pax/ar_subs.c,v
retrieving revision 1.41
diff -u -p -r1.41 ar_subs.c
--- bin/pax/ar_subs.c 21 Feb 2015 22:48:23 -0000 1.41
+++ bin/pax/ar_subs.c 30 Apr 2015 05:13:05 -0000
@@ -165,6 +165,8 @@ extract(void)
int fd;
time_t now;
+ sltab_start();
+
arcn = &archd;
/*
* figure out archive type; pass any format specific options to the
@@ -360,6 +362,7 @@ popd:
(void)(*frmt->end_rd)();
(void)sigprocmask(SIG_BLOCK, &s_mask, NULL);
ar_close(0);
+ sltab_process(0);
proc_dir(0);
pat_chk();
}
@@ -758,6 +761,8 @@ copy(void)
ARCHD archd;
char dirbuf[PAXPATHLEN+1];
+ sltab_start();
+
arcn = &archd;
/*
* set up the destination dir path and make sure it is a directory. We
@@ -969,6 +974,7 @@ copy(void)
*/
(void)sigprocmask(SIG_BLOCK, &s_mask, NULL);
ar_close(0);
+ sltab_process(0);
proc_dir(0);
ftree_chk();
}
Index: bin/pax/extern.h
===================================================================
RCS file: /cvs/src/bin/pax/extern.h,v
retrieving revision 1.49
diff -u -p -r1.49 extern.h
--- bin/pax/extern.h 21 Feb 2015 22:48:23 -0000 1.49
+++ bin/pax/extern.h 30 Apr 2015 05:13:05 -0000
@@ -147,6 +147,8 @@ int set_ids(char *, uid_t, gid_t);
int fset_ids(char *, int, uid_t, gid_t);
void set_pmode(char *, mode_t);
void fset_pmode(char *, int, mode_t);
+int set_attr(const struct file_times *, int _force_times, mode_t, int _do_mode,
+ int _in_sig);
int file_write(int, char *, int, int *, int *, int, char *);
void file_flush(int, char *, int);
void rdfile_close(ARCHD *, int *);
@@ -200,6 +202,7 @@ int pat_sel(ARCHD *);
int pat_match(ARCHD *);
int mod_name(ARCHD *);
int set_dest(ARCHD *, char *, int);
+int has_dotdot(const char *);
/*
* pax.c
@@ -261,18 +264,29 @@ void purg_lnk(ARCHD *);
void lnk_end(void);
int ftime_start(void);
int chk_ftime(ARCHD *);
+int sltab_start(void);
+int sltab_add_sym(const char *_path, const char *_value, mode_t _mode);
+int sltab_add_link(const char *, const struct stat *);
+void sltab_process(int _in_sig);
int name_start(void);
int add_name(char *, int, char *);
void sub_name(char *, int *, size_t);
+#ifndef NOCPIO
int dev_start(void);
int add_dev(ARCHD *);
int map_dev(ARCHD *, u_long, u_long);
+#else
+# define dev_start() 0
+# define add_dev(x) 0
+# define map_dev(x,y,z) 0
+
No comments:
Post a Comment