#194 Fixes Open Vulnerability CVE-2022-37705

[Anonymous]

Originally created by: prajwaltr93

Closes one of vulnerabilities discussed on : [#192], CVE-2022-37705.

Context:

with careful selection of arguments, runtar binary can be tricked into invoking shell and since it as SUID bit set and owner is root, it spawns a root shell local low privileged user reference

Code Context:

argument check logic for arguments of type --foo bar is being misused to skip parsing malicious arguments.

runtar keeps good_option variable to keep track of good and bad arguments which are in turn passed to the tar command in the exact order specified to runtar.

for arguments of type --foo bar it increments good_option twice ( += 2) accounting for bar to be the next argument and skips checking for it, but --foo bar can also be specified as --foo=bar where value bar is already specified for argument --foo so with good_option still have count >=0 causing immediate argument after this to not checked.

Fix:

For arguemnts of type --foo we only increment count by 1, since there is already a check to account for values to arguments here

        } else if (argv[i][0] != '-') {
        good_option++;
        }

[Anonymous]

Originally posted by: amandaTrusted

do a signed commit

[Anonymous]

Ticket changed by: amandaTrusted

• status: open --> closed