|
| 1 | +From 77a3ee825c430d054492b0101750b1c7ee8edf1c Mon Sep 17 00:00:00 2001 |
| 2 | +From: AllSpark <allspark@microsoft.com> |
| 3 | +Date: Mon, 16 Feb 2026 08:13:03 +0000 |
| 4 | +Subject: [PATCH] tar: strip unsafe hardlink components - GNU tar does the same |
| 5 | + |
| 6 | +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| 7 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 8 | +Upstream-reference: AI Backport of https://github.com/mirror/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb.patch |
| 9 | +--- |
| 10 | + archival/libarchive/data_extract_all.c | 7 +++-- |
| 11 | + archival/libarchive/get_header_tar.c | 11 ++++++-- |
| 12 | + archival/libarchive/unsafe_prefix.c | 30 +++++++++++++++++---- |
| 13 | + archival/libarchive/unsafe_symlink_target.c | 1 + |
| 14 | + archival/tar.c | 2 +- |
| 15 | + archival/unzip.c | 2 +- |
| 16 | + include/bb_archive.h | 3 ++- |
| 17 | + 7 files changed, 42 insertions(+), 14 deletions(-) |
| 18 | + |
| 19 | +diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c |
| 20 | +index 8a69711..b84b960 100644 |
| 21 | +--- a/archival/libarchive/data_extract_all.c |
| 22 | ++++ b/archival/libarchive/data_extract_all.c |
| 23 | +@@ -66,8 +66,8 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) |
| 24 | + } |
| 25 | + #endif |
| 26 | + #if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION |
| 27 | +- /* Strip leading "/" and up to last "/../" path component */ |
| 28 | +- dst_name = (char *)strip_unsafe_prefix(dst_name); |
| 29 | ++ /* Skip leading "/" and past last ".." path component */ |
| 30 | ++ dst_name = (char *)skip_unsafe_prefix(dst_name); |
| 31 | + #endif |
| 32 | + // ^^^ This may be a problem if some applets do need to extract absolute names. |
| 33 | + // (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag). |
| 34 | +@@ -185,8 +185,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) |
| 35 | + |
| 36 | + /* To avoid a directory traversal attack via symlinks, |
| 37 | + * do not restore symlinks with ".." components |
| 38 | +- * or symlinks starting with "/", unless a magic |
| 39 | +- * envvar is set. |
| 40 | ++ * or symlinks starting with "/" |
| 41 | + * |
| 42 | + * For example, consider a .tar created via: |
| 43 | + * $ tar cvf bug.tar anything.txt |
| 44 | +diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c |
| 45 | +index cc6f3f0..1c40ece 100644 |
| 46 | +--- a/archival/libarchive/get_header_tar.c |
| 47 | ++++ b/archival/libarchive/get_header_tar.c |
| 48 | +@@ -454,8 +454,15 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle) |
| 49 | + #endif |
| 50 | + |
| 51 | + /* Everything up to and including last ".." component is stripped */ |
| 52 | +- overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name)); |
| 53 | +-//TODO: do the same for file_header->link_target? |
| 54 | ++ strip_unsafe_prefix(file_header->name); |
| 55 | ++ if (file_header->link_target) { |
| 56 | ++ /* GNU tar 1.34 examples: |
| 57 | ++ * tar: Removing leading '/' from hard link targets |
| 58 | ++ * tar: Removing leading '../' from hard link targets |
| 59 | ++ * tar: Removing leading 'etc/../' from hard link targets |
| 60 | ++ */ |
| 61 | ++ strip_unsafe_prefix(file_header->link_target); |
| 62 | ++ } |
| 63 | + |
| 64 | + /* Strip trailing '/' in directories */ |
| 65 | + /* Must be done after mode is set as '/' is used to check if it's a directory */ |
| 66 | +diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c |
| 67 | +index 6670811..89a371a 100644 |
| 68 | +--- a/archival/libarchive/unsafe_prefix.c |
| 69 | ++++ b/archival/libarchive/unsafe_prefix.c |
| 70 | +@@ -5,11 +5,11 @@ |
| 71 | + #include "libbb.h" |
| 72 | + #include "bb_archive.h" |
| 73 | + |
| 74 | +-const char* FAST_FUNC strip_unsafe_prefix(const char *str) |
| 75 | ++const char* FAST_FUNC skip_unsafe_prefix(const char *str) |
| 76 | + { |
| 77 | + const char *cp = str; |
| 78 | + while (1) { |
| 79 | +- char *cp2; |
| 80 | ++ const char *cp2; |
| 81 | + if (*cp == '/') { |
| 82 | + cp++; |
| 83 | + continue; |
| 84 | +@@ -22,10 +22,25 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str) |
| 85 | + cp += 3; |
| 86 | + continue; |
| 87 | + } |
| 88 | +- cp2 = strstr(cp, "/../"); |
| 89 | ++ cp2 = cp; |
| 90 | ++ find_dotdot: |
| 91 | ++ cp2 = strstr(cp2, "/.."); |
| 92 | + if (!cp2) |
| 93 | +- break; |
| 94 | +- cp = cp2 + 4; |
| 95 | ++ break; /* No (more) malicious components */ |
| 96 | ++ |
| 97 | ++ /* We found "/..something" */ |
| 98 | ++ cp2 += 3; |
| 99 | ++ if (*cp2 != '/') { |
| 100 | ++ if (*cp2 == '\0') { |
| 101 | ++ /* Trailing "/..": malicious, return "" */ |
| 102 | ++ /* (causes harmless errors trying to create or hardlink a file named "") */ |
| 103 | ++ return cp2; |
| 104 | ++ } |
| 105 | ++ /* "/..name" is not malicious, look for next "/.." */ |
| 106 | ++ goto find_dotdot; |
| 107 | ++ } |
| 108 | ++ /* Found "/../": malicious, advance past it */ |
| 109 | ++ cp = cp2 + 1; |
| 110 | + } |
| 111 | + if (cp != str) { |
| 112 | + static smallint warned = 0; |
| 113 | +@@ -37,3 +52,8 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str) |
| 114 | + } |
| 115 | + return cp; |
| 116 | + } |
| 117 | ++ |
| 118 | ++void FAST_FUNC strip_unsafe_prefix(char *str) |
| 119 | ++{ |
| 120 | ++ overlapping_strcpy(str, skip_unsafe_prefix(str)); |
| 121 | ++} |
| 122 | +diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c |
| 123 | +index f8dc803..d764c89 100644 |
| 124 | +--- a/archival/libarchive/unsafe_symlink_target.c |
| 125 | ++++ b/archival/libarchive/unsafe_symlink_target.c |
| 126 | +@@ -36,6 +36,7 @@ void FAST_FUNC create_links_from_list(llist_t *list) |
| 127 | + *list->data ? "hard" : "sym", |
| 128 | + list->data + 1, target |
| 129 | + ); |
| 130 | ++ /* Note: GNU tar 1.34 errors out only _after_ all links are (attempted to be) created */ |
| 131 | + } |
| 132 | + list = list->link; |
| 133 | + } |
| 134 | +diff --git a/archival/tar.c b/archival/tar.c |
| 135 | +index 9de3759..cf8c2d1 100644 |
| 136 | +--- a/archival/tar.c |
| 137 | ++++ b/archival/tar.c |
| 138 | +@@ -475,7 +475,7 @@ static int FAST_FUNC writeFileToTarball(struct recursive_state *state, |
| 139 | + DBG("writeFileToTarball('%s')", fileName); |
| 140 | + |
| 141 | + /* Strip leading '/' and such (must be before memorizing hardlink's name) */ |
| 142 | +- header_name = strip_unsafe_prefix(fileName); |
| 143 | ++ header_name = skip_unsafe_prefix(fileName); |
| 144 | + |
| 145 | + if (header_name[0] == '\0') |
| 146 | + return TRUE; |
| 147 | +diff --git a/archival/unzip.c b/archival/unzip.c |
| 148 | +index 691a2d8..5844215 100644 |
| 149 | +--- a/archival/unzip.c |
| 150 | ++++ b/archival/unzip.c |
| 151 | +@@ -853,7 +853,7 @@ int unzip_main(int argc, char **argv) |
| 152 | + unzip_skip(zip.fmt.extra_len); |
| 153 | + |
| 154 | + /* Guard against "/abspath", "/../" and similar attacks */ |
| 155 | +- overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn)); |
| 156 | ++ strip_unsafe_prefix(dst_fn); |
| 157 | + |
| 158 | + /* Filter zip entries */ |
| 159 | + if (find_list_entry(zreject, dst_fn) |
| 160 | +diff --git a/include/bb_archive.h b/include/bb_archive.h |
| 161 | +index e0ef8fc..1dc77f3 100644 |
| 162 | +--- a/include/bb_archive.h |
| 163 | ++++ b/include/bb_archive.h |
| 164 | +@@ -202,7 +202,8 @@ char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC; |
| 165 | + void seek_by_jump(int fd, off_t amount) FAST_FUNC; |
| 166 | + void seek_by_read(int fd, off_t amount) FAST_FUNC; |
| 167 | + |
| 168 | +-const char *strip_unsafe_prefix(const char *str) FAST_FUNC; |
| 169 | ++const char *skip_unsafe_prefix(const char *str) FAST_FUNC; |
| 170 | ++void strip_unsafe_prefix(char *str) FAST_FUNC; |
| 171 | + void create_or_remember_link(llist_t **link_placeholders, |
| 172 | + const char *target, |
| 173 | + const char *linkname, |
| 174 | +-- |
| 175 | +2.45.4 |
| 176 | + |
0 commit comments