npitre cramfs-tools Symlink Following Vulnerability in Continue-on-Error Mode

A vulnerability in npitre cramfs-tools versions through 2.2 allows for symlink following during the extraction of cramfs images. This issue arises in the 'cramfsck' utility when it is run with the continue-on-error option, and the extraction directory is a symlink. The 'change_file_status' function in 'cramfsck.c' is affected, leading to potential unauthorized file writes in the user's home directory.

Impact

Exploitation of this vulnerability can cause files to be written through symlink targets, bypassing the intended extraction directory. This could lead to unauthorized data creation in sensitive areas, such as the user's SSH directory.

Reproduction

To reproduce this vulnerability, create a symlinked directory that points to a location outside the intended extraction path. Then, use 'cramfsck' with the '-c' and '-x' options to extract a crafted cramfs image that contains files. The extraction process will follow the symlink and write the files to the target location, effectively exploiting the vulnerability.

Remediation

Users are advised to update to the latest version of npitre cramfs-tools, where this vulnerability has been addressed.