b38e97e03b
* gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-7zip-heap-overflow.patch, gnu/packages/patches/libarchive-fix-symlink-check.patch, gnu/packages/patches/libarchive-fix-filesystem-attacks.patch, gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them.
60 lines
2.3 KiB
Diff
60 lines
2.3 KiB
Diff
Make sure to check for symlinks even if the pathname is very long:
|
|
|
|
https://github.com/libarchive/libarchive/issues/744
|
|
|
|
Patch copied from upstream repository:
|
|
|
|
https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
|
|
|
|
From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
|
|
From: Tim Kientzle <kientzle@acm.org>
|
|
Date: Sun, 21 Aug 2016 17:11:45 -0700
|
|
Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
|
|
long pathnames
|
|
|
|
Because check_symlinks is handled separately from the deep-directory
|
|
support, very long pathnames cause problems. Previously, the code
|
|
ignored most failures to lstat() a path component. In particular,
|
|
this led to check_symlinks always passing for very long paths, which
|
|
in turn provides a way to evade the symlink checks in the sandboxing
|
|
code.
|
|
|
|
We now fail on unrecognized lstat() failures, which plugs this
|
|
hole at the cost of disabling deep directory support when the
|
|
user requests sandboxing.
|
|
|
|
TODO: This probably cannot be completely fixed without
|
|
entirely reimplementing the deep directory support to
|
|
integrate the symlink checks. I want to reimplement the
|
|
deep directory hanlding someday anyway; openat() and
|
|
related system calls now provide a much cleaner way to
|
|
handle deep directories than the chdir approach used by this
|
|
code.
|
|
---
|
|
libarchive/archive_write_disk_posix.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
|
|
index 39ee3b6..8f0421e 100644
|
|
--- a/libarchive/archive_write_disk_posix.c
|
|
+++ b/libarchive/archive_write_disk_posix.c
|
|
@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
|
|
r = lstat(a->name, &st);
|
|
if (r != 0) {
|
|
/* We've hit a dir that doesn't exist; stop now. */
|
|
- if (errno == ENOENT)
|
|
+ if (errno == ENOENT) {
|
|
break;
|
|
+ } else {
|
|
+ /* Note: This effectively disables deep directory
|
|
+ * support when security checks are enabled.
|
|
+ * Otherwise, very long pathnames that trigger
|
|
+ * an error here could evade the sandbox.
|
|
+ * TODO: We could do better, but it would probably
|
|
+ * require merging the symlink checks with the
|
|
+ * deep-directory editing. */
|
|
+ return (ARCHIVE_FAILED);
|
|
+ }
|
|
} else if (S_ISLNK(st.st_mode)) {
|
|
if (c == '\0') {
|
|
/*
|