Closed Bug 1806899 Opened 1 year ago Closed 1 year ago

Sanitize tarfile.extractall input

Tracking

(Not tracked)

Status:

RESOLVED FIXED

People

(Reporter: gbrown, Assigned: gbrown)

References

Details

(Keywords: leave-open)

Attachments

(15 files, 1 obsolete file)

Bug 1806899 - Sanitize extractall input (mozharness) 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1806899 - Sanitize extractall input (mozbuild) 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1806899 - test unpacking crafted archives 1 year ago Julien Cristau [:jcristau] 48 bytes, text/x-phabricator-request		Details \| Review
[mozilla-releng/tooltool] Bug 1806899 - Sanitize extractall input, and bump version (#1066) 1 year ago BMO Automation 52 bytes, text/x-github-pull-request		Details \| Review
Bug 1806899 - Sanitize extractall input (m-c tooltool) 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1806899 - Harden mozfile extract_tarball 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1806899 - Sanitize extractall input (remaining) 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
[mozilla-releng/tooltool] Bug 1806899 - Detect link escapes in safe_extract (#1077) 1 year ago BMO Automation 52 bytes, text/x-github-pull-request		Details \| Review
[mozilla-releng/tooltool] Bug 1806899 - Detect link escapes in safe_extract (#1084) 1 year ago BMO Automation 52 bytes, text/x-github-pull-request		Details \| Review
Bug 1806899 - Detect link escapes in safe_extract (all m-c) 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
[mozilla-releng/scriptworker-scripts] Bug 1806899 - [flatpakscript] Detect link escapes in safe_extract (#674) 1 year ago BMO Automation 63 bytes, text/x-github-pull-request		Details \| Review
[mozilla-releng/tooltool] Bug 1806899 - Remove unused members parameter from safe_extract (#1088) 1 year ago BMO Automation 52 bytes, text/x-github-pull-request		Details \| Review
Bug 1806899 - Update vendored copy of tooltool client (wpt) 1 year ago Geoff Brown [:gbrown] 48 bytes, text/x-phabricator-request		Details \| Review
[mozilla-releng/scriptworker-scripts] Bug 1806899 - [signingscript] update vendored mozbuild (#682) 1 year ago BMO Automation 63 bytes, text/x-github-pull-request		Details \| Review
[mozilla-releng/scriptworker-scripts] Bug 1806899 - Update vendored mozbuild (top level) (#683) 1 year ago BMO Automation 63 bytes, text/x-github-pull-request		Details \| Review
[mozilla-releng/scriptworker-scripts] Bug 1806899 - [signingscript] use safe_extract for one more tar extraction (#688) 1 year ago BMO Automation 63 bytes, text/x-github-pull-request		Details \| Review

Geoff Brown [:gbrown]

Assignee

Description

•

1 year ago

See https://github.com/mozilla-releng/scriptworker-scripts/pull/593 and https://github.com/advisories/GHSA-gw9q-c7gh-j9vm

Geoff Brown [:gbrown]

Assignee

Comment 1

•

1 year ago

Attached file Bug 1806899 - Sanitize extractall input (mozharness) — Details

Geoff Brown [:gbrown]

Assignee

Comment 2

•

1 year ago

Attached file Bug 1806899 - Sanitize extractall input (mozbuild) — Details

Julien Cristau [:jcristau]

Comment 3

•

1 year ago

Attached file Bug 1806899 - test unpacking crafted archives — Details

archive-escape.tar is the same as archive.tar with an extra empty
../../../../../../../etc/passwd member appended
archive-setuid.tar is the same as archive.tar with an extra empty
./bin/setuid member appended, with mode 1744

David Lawrence [:dkl]

Updated

•

1 year ago

Group: partner-confidential

Pulsebot

Comment 4

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b171320171a1
Sanitize extractall input (mozharness) r=jcristau

Geoff Brown [:gbrown]

Assignee

Updated

•

1 year ago

Keywords: leave-open

Marian-Vasile Laza

Comment 5

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/b171320171a1

Pulsebot

Comment 6

•

1 year ago

Pushed by jcristau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7b37ded95024
test unpacking crafted archives r=gbrown

Noemi Erli[:noemi_erli]

Comment 7

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/7b37ded95024

Geoff Brown [:gbrown]

Assignee

Updated

•

1 year ago

Comment 8

•

1 year ago

Attached file [mozilla-releng/tooltool] Bug 1806899 - Sanitize extractall input, and bump version (#1066) — Details

Geoff Brown [:gbrown]

Assignee

Comment 9

•

1 year ago

Attached file Bug 1806899 - Sanitize extractall input (m-c tooltool) — Details

Syncs m-c copy of tooltool.py with https://github.com/mozilla-releng/tooltool/pull/1066

Pulsebot

Comment 10

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6e5ab36bae64
Sanitize extractall input (m-c tooltool) r=jcristau

Sandor Molnar[:smolnar]

Comment 11

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/6e5ab36bae64

Geoff Brown [:gbrown]

Assignee

Comment 12

•

1 year ago

Attached file Bug 1806899 - Harden mozfile extract_tarball — Details

Add a check for setuid/gid on each tar member to be extracted.
Modify the check for escaping the destination: This should catch
absolute paths now, and also allow for the unusual but innocuous
case of "<subdir>/..".

Phabricator Automation

Updated

•

1 year ago

Attachment #9309469 - Attachment description: Bug 1806899 - Sanitize extractall input (dmg.py) → Bug 1806899 - Sanitize extractall input (mozbuild)

Pulsebot

Comment 13

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2fbbe5e4b32f
Harden mozfile extract_tarball r=ahal

Geoff Brown [:gbrown]

Assignee

Comment 14

•

1 year ago

Attached file Bug 1806899 - Sanitize extractall input (remaining) — Details

Geoff Brown [:gbrown]

Assignee

Updated

•

1 year ago

Duplicate of this bug: 1298953

Noemi Erli[:noemi_erli]

Comment 16

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/2fbbe5e4b32f

Pulsebot

Comment 17

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3eab2cd717ad
Sanitize extractall input (remaining) r=jcristau

Pulsebot

Comment 18

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/30c4cf95cc4d
Sanitize extractall input (mozbuild) r=jcristau

Cristina Horotan [:chorotan]

Comment 19

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/3eab2cd717ad
https://hg.mozilla.org/mozilla-central/rev/30c4cf95cc4d

BMO Automation

Comment 20

•

1 year ago

Attached file [mozilla-releng/tooltool] Bug 1806899 - Detect link escapes in safe_extract (#1077) (obsolete) — Details

BMO Automation

Comment 21

•

1 year ago

Attached file [mozilla-releng/tooltool] Bug 1806899 - Detect link escapes in safe_extract (#1084) — Details

Geoff Brown [:gbrown]

Assignee

Updated

•

1 year ago

Attachment #9318254 - Attachment is obsolete: true

Geoff Brown [:gbrown]

Assignee

Comment 22

•

1 year ago

Attached file Bug 1806899 - Detect link escapes in safe_extract (all m-c) — Details

Apply the link escape check from tooltool to all the m-c tarfile extractions
previously updated.

BMO Automation

Comment 23

•

1 year ago

Attached file [mozilla-releng/scriptworker-scripts] Bug 1806899 - [flatpakscript] Detect link escapes in safe_extract (#674) — Details

BMO Automation

Comment 24

•

1 year ago

Attached file [mozilla-releng/tooltool] Bug 1806899 - Remove unused members parameter from safe_extract (#1088) — Details

Pulsebot

Comment 25

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/79967b676cf8
Detect link escapes in safe_extract (all m-c) r=jcristau

Geoff Brown [:gbrown]

Assignee

Comment 26

•

1 year ago

Attached file Bug 1806899 - Update vendored copy of tooltool client (wpt) — Details

Update the web-platform tests' copy of tooltool client with the latest version from the tooltool repo.

Serban Stanca [:SerbanS]

Comment 27

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/79967b676cf8

Pulsebot

Comment 28

•

1 year ago

Pushed by gbrown@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/907dd0b20c7f
Update vendored copy of tooltool client (wpt) r=jgraham

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Comment 29

•

1 year ago

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38786 for changes under testing/web-platform/tests

Geoff Brown [:gbrown]

Assignee

Comment 30

•

1 year ago

I found another copy of tooltool.py in mozilla-vpn-client: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/6208

Sandor Molnar[:smolnar]

Comment 31

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/907dd0b20c7f

BMO Automation

Comment 32

•

1 year ago

Attached file [mozilla-releng/scriptworker-scripts] Bug 1806899 - [signingscript] update vendored mozbuild (#682) — Details

BMO Automation

Comment 33

•

1 year ago

Attached file [mozilla-releng/scriptworker-scripts] Bug 1806899 - Update vendored mozbuild (top level) (#683) — Details

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Comment 34

•

1 year ago

Upstream PR merged by jgraham

BMO Automation

Comment 35

•

1 year ago

Attached file [mozilla-releng/scriptworker-scripts] Bug 1806899 - [signingscript] use safe_extract for one more tar extraction (#688) — Details

Geoff Brown [:gbrown]

Assignee

Updated

•

1 year ago

Status: NEW → RESOLVED

Closed: 1 year ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.