Bug#737160: [uupdate] symlink directory traversal

James McCoy jamessan at debian.org
Sat Feb 22 03:53:34 UTC 2014


On Thu, Jan 30, 2014 at 09:06:38PM +0100, Jakub Wilk wrote:
> A malicious .orig.tar file can trick uupdate into patching files
> outside the source package directory. Proof of concept:

Thanks for the report and PoC.

Looking into it some, below is my understanding of the issue and
concerns on fixing it.

First, this is only a problem for 1.0 format source packages, since
unpacking a 3.0 format's diff tarball will replace a, potentially
malicious, symlink in upstream's source with the corresponding directory
in the diff tarball.

With it constrained to 1.0 format, the problem exists for any file the
diff.gz is adding (or possibly, but much less likely, modifying) where
one of the directories in the path is a symlink pointing outside of the
upstream source tree.

We basically need to add the following just inside the if on line 730:

    for link in $(find -type l); do
        resolved="$(readlink -f "$link")"
        if ! expr "$resolved" : "$(pwd)" >/dev/null; then
            complain loudly
        fi
    done

The problem with the above is that it's not robust in the face of paths
which contain whitespace.  That means, at best, some paths aren't
properly detected and therefore are still subject to original issue.

If someone more familiar with the inrticacies of handling this sort of
scenario in (ba)sh has an idea on how to properly implement this, I'm
all ears.  Otherwise, I'm tempted to rewrite the whole thing in Perl,
but I'd rather taking the time to do that.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20140221/981773f1/attachment.sig>


More information about the devscripts-devel mailing list