Closes one of vulnerabilities discussed on : #192, CVE-2022-37705.
Context:
with careful selection of arguments, runtar binary can be tricked into invoking shell and since it as SUID bit set and owner is root, it spawns a root shell local low privileged user reference
Code Context:
argument check logic for arguments of type --foo bar is being misused to skip parsing malicious arguments.
runtar keeps good_option variable to keep track of good and bad arguments which are in turn passed to the tar command in the exact order specified to runtar.
for arguments of type --foo bar it increments good_option twice ( += 2) accounting for bar to be the next argument and skips checking for it, but --foo bar can also be specified as --foo=bar where value bar is already specified for argument --foo so with good_option still have count >=0 causing immediate argument after this to not checked.
Fix:
For arguemnts of type --foo we only increment count by 1, since there is already a check to account for values to arguments here
Closes one of vulnerabilities discussed on : #192, CVE-2022-37705.
Context:
with careful selection of arguments, runtar binary can be tricked into invoking shell and since it as SUID bit set and owner is root, it spawns a root shell local low privileged user reference
Code Context:
argument check logic for arguments of type
--foo bar
is being misused to skip parsing malicious arguments.runtar
keepsgood_option
variable to keep track of good and bad arguments which are in turn passed to the tar command in the exact order specified toruntar
.for arguments of type
--foo bar
it incrementsgood_option
twice ( += 2) accounting forbar
to be the next argument and skips checking for it, but--foo bar
can also be specified as--foo=bar
where valuebar
is already specified for argument--foo
so withgood_option
still have count >=0 causing immediate argument after this to not checked.Fix:
For arguemnts of type
--foo
we only increment count by 1, since there is already a check to account for values to arguments here