fix: Harden libarchive disk extraction with secure path flags#424
fix: Harden libarchive disk extraction with secure path flags#424orbisai0security wants to merge 2 commits into
Conversation
Automated security fix generated by Orbis Security AI
Even assuming that's possible (and I don't think it is, given Flatpak's sandbox constraints), why on Earth would NVIDIA craft a malicious archive? lol
We're not running the NVIDIA installer, at all, though. We're manually extracting the files from the installer file. Anyway, even if the changes to the code might be positive, the reasoning seems completely bogus to me. But I'm not a C expert, so I'm kindly requesting additional comments from @TingPing and @404NetworkError. |
|
Thanks for the review. I agree the current PR description overstates the impact. You’re right that this tool is not executing the NVIDIA installer, and the current The concrete hardening I was aiming for is narrower: since this code uses I’m happy to revise the PR to:
|
strcat_s (C11 Annex K) is not portable on Linux/glibc. The buffer is already correctly sized, so strcat is safe here. Keep only the libarchive secure extraction flags. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
I have addressed the comments. Can you pls review? |
Summary
Harden libarchive disk extraction by enabling secure extraction flags when materialising files from the NVIDIA driver archive.
This change sets:
ARCHIVE_EXTRACT_SECURE_NODOTDOTARCHIVE_EXTRACT_SECURE_SYMLINKSSo libarchive rejects unsafe
..path components and prevents symlink-based redirection during extraction.Rationale
The current extraction logic already filters and rewrites the NVIDIA archive entries through
should_extract(), so this is not a demonstrated arbitrary file overwrite in the current code path.The goal of this PR is narrower: add defence-in-depth protection so that if future archive path handling, accepted file patterns, or destination rewrites change, extraction remains fail-closed against common unsafe archive-entry behaviour.
archive_write_disk_new()does not enable these secure extraction protections by default, so setting the flags explicitly makes the intended safety boundary clearer and more robust.Scope
This PR is intended only. It does not claim that the current NVIDIA archives are malicious or that the existing whitelist is currently exploitable.
Changes
nvidia-extractor/nvidia-extract.c..path traversal componentsVerification
Automated security fix by OrbisAI Security