Bug 1219619 (CVE-2023-7216)

Summary: VUL-0: CVE-2023-7216: cpio: extraction allows symlinks which enables Remote Command Execution
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Danilo Spinella <danilo.spinella>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393036/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-7216:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-06 10:54:17 UTC 
A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which could be utilized to run arbitrary commands on the target system.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216
https://bugzilla.redhat.com/show_bug.cgi?id=2249901
https://www.cve.org/CVERecord?id=CVE-2023-7216
https://access.redhat.com/security/cve/CVE-2023-7216
Comment 1 Thomas Leroy 2024-02-06 10:55:36 UTC 
I don't see any fix upstream.

I triggered the path traversal on:
- SUSE:SLE-15-SP4:Update
- SUSE:ALP:Source:Standard:1.0
- openSUSE:Factory
Comment 5 Marcus Meissner 2024-04-25 14:55:58 UTC 
https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html


>       First of all, I would like to confirm with you, do you accept
>       CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default
>       behavior of cpio software?

It is a normal behavior.  Please use the --no-absolute-filenames option
to avoid it, if it is not desired.

Regards,
Sergey