Fixes Open Vulnerability CVE-2022-37705 #194
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes one of vulnerabilities discussed on : #192, CVE-2022-37705.
Context:
with careful selection of arguments, runtar binary can be tricked into invoking shell and since it as SUID bit set and owner is root, it spawns a root shell local low privileged user reference
Code Context:
argument check logic for arguments of type
--foo bar
is being misused to skip parsing malicious arguments.runtar
keepsgood_option
variable to keep track of good and bad arguments which are in turn passed to the tar command in the exact order specified toruntar
.for arguments of type
--foo bar
it incrementsgood_option
twice ( += 2) accounting forbar
to be the next argument and skips checking for it, but--foo bar
can also be specified as--foo=bar
where valuebar
is already specified for argument--foo
so withgood_option
still have count >=0 causing immediate argument after this to not checked.Fix:
For arguemnts of type
--foo
we only increment count by 1, since there is already a check to account for values to arguments here