Permalink
Show file tree
Hide file tree
2 comments
on commit
Please
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Unsquashfs: additional write outside destination directory exploit fix
An issue on github (#72) showed how some specially crafted Squashfs filesystems containing invalid file names (with '/' and '..') can cause Unsquashfs to write files outside of the destination directory. Since then it has been shown that specially crafted Squashfs filesystems that contain a symbolic link pointing outside of the destination directory, coupled with an identically named file within the same directory, can cause Unsquashfs to write files outside of the destination directory. Specifically the symbolic link produces a pathname pointing outside of the destination directory, which is then followed when writing the duplicate identically named file within the directory. This commit fixes this exploit by explictly checking for duplicate filenames within a directory. As directories in v2.1, v3.x, and v4.0 filesystems are sorted, this is achieved by checking for consecutively identical filenames. Additionally directories are checked to ensure they are sorted, to avoid attempts to evade the duplicate check. Version 1.x and 2.0 filesystems (where the directories were unsorted) are sorted and then the above duplicate filename check is applied. Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
- Loading branch information
Showing
8 changed files
with
173 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -160,8 +160,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \ | |
| caches-queues-lists.o reader.o tar.o | ||
|
|
||
| UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \ | ||
| unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \ | ||
| compressor.o unsquashfs_info.o | ||
| unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o unsquash-12.o \ | ||
| swap.o compressor.o unsquashfs_info.o | ||
|
|
||
| CFLAGS ?= -O2 | ||
| CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \ | ||
|
|
@@ -393,6 +393,8 @@ unsquash-34.o: unsquashfs.h unsquash-34.c unsquashfs_error.h | |
|
|
||
| unsquash-1234.o: unsquash-1234.c unsquashfs_error.h | ||
|
|
||
| unsquash-1234.o: unsquash-12.c | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
plougher
Author
Owner
|
||
|
|
||
| unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h unsquashfs_error.h | ||
|
|
||
| unsquashfs_info.o: unsquashfs.h squashfs_fs.h unsquashfs_error.h | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| /* | ||
| * Unsquash a squashfs filesystem. This is a highly compressed read only | ||
| * filesystem. | ||
| * | ||
| * Copyright (c) 2021 | ||
| * Phillip Lougher <phillip@squashfs.org.uk> | ||
| * | ||
| * This program is free software; you can redistribute it and/or | ||
| * modify it under the terms of the GNU General Public License | ||
| * as published by the Free Software Foundation; either version 2, | ||
| * or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * along with this program; if not, write to the Free Software | ||
| * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | ||
| * | ||
| * unsquash-12.c | ||
| * | ||
| * Helper functions used by unsquash-1 and unsquash-2. | ||
| */ | ||
|
|
||
| #include "unsquashfs.h" | ||
|
|
||
| /* | ||
| * Bottom up linked list merge sort. | ||
| * | ||
| */ | ||
| void sort_directory(struct dir *dir) | ||
| { | ||
| struct dir_ent *cur, *l1, *l2, *next; | ||
| int len1, len2, stride = 1; | ||
|
|
||
| if(dir->dir_count < 2) | ||
| return; | ||
|
|
||
| /* | ||
| * We can consider our linked-list to be made up of stride length | ||
| * sublists. Eacn iteration around this loop merges adjacent | ||
| * stride length sublists into larger 2*stride sublists. We stop | ||
| * when stride becomes equal to the entire list. | ||
| * | ||
| * Initially stride = 1 (by definition a sublist of 1 is sorted), and | ||
| * these 1 element sublists are merged into 2 element sublists, which | ||
| * are then merged into 4 element sublists and so on. | ||
| */ | ||
| do { | ||
| l2 = dir->dirs; /* head of current linked list */ | ||
| cur = NULL; /* empty output list */ | ||
|
|
||
| /* | ||
| * Iterate through the linked list, merging adjacent sublists. | ||
| * On each interation l2 points to the next sublist pair to be | ||
| * merged (if there's only one sublist left this is simply added | ||
| * to the output list) | ||
| */ | ||
| while(l2) { | ||
| l1 = l2; | ||
| for(len1 = 0; l2 && len1 < stride; len1 ++, l2 = l2->next); | ||
| len2 = stride; | ||
|
|
||
| /* | ||
| * l1 points to first sublist. | ||
| * l2 points to second sublist. | ||
| * Merge them onto the output list | ||
| */ | ||
| while(len1 && l2 && len2) { | ||
| if(strcmp(l1->name, l2->name) <= 0) { | ||
| next = l1; | ||
| l1 = l1->next; | ||
| len1 --; | ||
| } else { | ||
| next = l2; | ||
| l2 = l2->next; | ||
| len2 --; | ||
| } | ||
|
|
||
| if(cur) { | ||
| cur->next = next; | ||
| cur = next; | ||
| } else | ||
| dir->dirs = cur = next; | ||
| } | ||
| /* | ||
| * One sublist is now empty, copy the other one onto the | ||
| * output list | ||
| */ | ||
| for(; len1; len1 --, l1 = l1->next) { | ||
| if(cur) { | ||
| cur->next = l1; | ||
| cur = l1; | ||
| } else | ||
| dir->dirs = cur = l1; | ||
| } | ||
| for(; l2 && len2; len2 --, l2 = l2->next) { | ||
| if(cur) { | ||
| cur->next = l2; | ||
| cur = l2; | ||
| } else | ||
| dir->dirs = cur = l2; | ||
| } | ||
| } | ||
| cur->next = NULL; | ||
| stride = stride << 1; | ||
| } while(stride < dir->dir_count); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 comments
on commit e048580
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, CVE-2021-41072 has been assigned for this issue. Thanks for the very quick turn-around time on this issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might we have a release with this fix please?
Should this be
unsquash-12.o- ie:unsquash-12.o: unsquash-12.c