Fixes Open Vulnerability CVE-2022-37705 #194
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Closes one of vulnerabilities discussed on : #192, CVE-2022-37705.
Context:
with careful selection of arguments, runtar binary can be tricked into invoking shell and since it as SUID bit set and owner is root, it spawns a root shell local low privileged user reference
Code Context:
argument check logic for arguments of type
--foo baris being misused to skip parsing malicious arguments.runtarkeepsgood_optionvariable to keep track of good and bad arguments which are in turn passed to the tar command in the exact order specified toruntar.for arguments of type
--foo barit incrementsgood_optiontwice ( += 2) accounting forbarto be the next argument and skips checking for it, but--foo barcan also be specified as--foo=barwhere valuebaris already specified for argument--fooso withgood_optionstill have count >=0 causing immediate argument after this to not checked.Fix:
For arguemnts of type
--foowe only increment count by 1, since there is already a check to account for values to arguments here