Bug#737160: [uupdate] symlink directory traversal

Jakub Wilk jwilk at debian.org
Sun Feb 23 11:11:04 UTC 2014 

* James McCoy <jamessan at debian.org>, 2014-02-21, 22:53:
>>A malicious .orig.tar file can trick uupdate into patching files 
>>outside the source package directory. Proof of concept:
>
>Thanks for the report and PoC.
>
>Looking into it some, below is my understanding of the issue and 
>concerns on fixing it.
>
>First, this is only a problem for 1.0 format source packages, since 
>unpacking a 3.0 format's diff tarball will replace a, potentially 
>malicious, symlink in upstream's source with the corresponding 
>directory in the diff tarball.

Indeed.

>With it constrained to 1.0 format, the problem exists for any file the 
>diff.gz is adding (or possibly, but much less likely, modifying) where 
>one of the directories in the path is a symlink pointing outside of the 
>upstream source tree.

That's right.

>We basically need to add the following just inside the if on line 730:
>
>    for link in $(find -type l); do
>        resolved="$(readlink -f "$link")"
>        if ! expr "$resolved" : "$(pwd)" >/dev/null; then
>            complain loudly
>        fi
>    done
>
>The problem with the above is that it's not robust in the face of paths 
>which contain whitespace.  That means, at best, some paths aren't 
>properly detected and therefore are still subject to original issue.

More (minor) problems I see:
- Special characters in the regexp are not escaped. At least "." could 
be legitimately part of cwd.
- TOCTOU problem: what the symlink resolves to can change between the 
readlink call and unpacking. This is because the symlink could point to 
another symlink, owned by malicious local user.
- The check probably shouldn't complain about symlinks that weren't 
going to be patched anyway.

>If someone more familiar with the inrticacies of handling this sort of 
>scenario in (ba)sh has an idea on how to properly implement this, I'm 
>all ears.

Perhaps a more viable way would be to construct a temporary new source 
package, and let dpkg-source deal with all the corner cases of unpacking 
it?

Or maybe patch(1) should (have an option to) avoid following directory 
symlinks.

-- 
Jakub Wilk

More information about the devscripts-devel mailing list