From 2a567ea3f66b963ebeeaa70d31c98b018428ca26 Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 14 Oct 2015 20:57:28 +0000 Subject: [PATCH] Use a strict $PATH of "/usr/bin:/usr/local/bin" to run the (de)compressors (gzip, compress, bzip2) rather than following the user's path. This seems easier than hardcoding the paths elsewhere and using basename(). pax/tar is pledged itself, but it can spawn one of these programs if asked. The three found at the strict path use pledge "stdio" very early during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge interlock. For bzip2, this assumes use of the ports/packages version installed to /usr/local/bin, which has been pledged by sthen@. Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker finding a buffer overflow or use after free has significantly fewer system calls available (only pledge "stdio" in the decompressor). ok millert sthen --- bin/pax/ar_io.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/pax/ar_io.c b/bin/pax/ar_io.c index 8db2332e0fd..8f313de897e 100644 --- a/bin/pax/ar_io.c +++ b/bin/pax/ar_io.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ar_io.c,v 1.53 2015/10/12 14:01:06 semarie Exp $ */ +/* $OpenBSD: ar_io.c,v 1.54 2015/10/14 20:57:28 deraadt Exp $ */ /* $NetBSD: ar_io.c,v 1.5 1996/03/26 23:54:13 mrg Exp $ */ /*- @@ -1278,6 +1278,10 @@ ar_start_gzip(int fd, const char *path, int wr) } close(fds[0]); close(fds[1]); + + /* System compressors are more likely to use pledge(2) */ + putenv("PATH=/usr/bin:/usr/local/bin"); + if (execlp(path, path, gzip_flags, (char *)NULL) < 0) err(1, "could not exec %s", path); /* NOTREACHED */ -- 2.20.1