CVE-2018-12015: Archive::Tar: directory traversal #16580
Comments
From @jwilkBy default, the Archive::Tar module doesn't allow extracting files Proof of concept, which makes Archive::Tar create /tmp/moo, regardless $ tar -tvvf traversal.tar.gz $ pwd $ ls /tmp/moo $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo Tested with Perl v5.26.1. -- |
From @jwilk |
From @tonycozOn Sat, Sep 30, 2017 at 12:23:38PM -0700, Jakub Wilk wrote:
This needs to be reported to the Archive::Tar maintainer, not here. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @jmdhHi all, Please see this report of a directory traversal vulnerability in Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and I expect the Debian security team (in To:) can assist by supplying a Note: I'm reporting this in private, but it was already publically Dominic. ----- Forwarded message from Jakub Wilk <jwilk@jwilk.net> ----- Date: Tue, 5 Jun 2018 19:03:33 +0200 Source: perl By default, the Archive::Tar module doesn't allow extracting files outside the I've attached proof of concept tarball, which makes Archive::Tar create $ tar -tvvf traversal.tar.gz $ pwd $ ls /tmp/moo $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo -- _______________________________________________ ----- End forwarded message ----- |
From carnil@debian.orgHi Dominic, On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
I just have requested a CVE from MITRE, will ping here again when I Regards, |
From carnil@debian.orgHi! On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
MITRE has assigned CVE-2018-12015 for this issue. Will look if I find time to write to oss-security as well on the CVE Is there a (public) upstream bugreport on it? Regards, |
From @jmdhOn Thu, Jun 07, 2018 at 03:13:34PM +0200, Salvatore Bonaccorso wrote:
Thanks. I've just created one here: https://rt.cpan.org/Ticket/Display.html?id=125523 I was holding off on that but since it's already public in the BTS, There was some indication that someone from p5p-security was looking into Cheers, |
From @jmdhOn Thu, Jun 07, 2018 at 10:33:05PM +0100, Dominic Hargreaves wrote:
There's now a proposed patch there from Petr at Redhat. Any chance someone Thanks! |
From @tonycozOn Fri, 08 Jun 2018 06:52:40 -0700, dom wrote:
Chris has released a 2.28 with the fix: https://metacpan.org/release/BINGOS/Archive-Tar-2.28 Please ensure [perl #133250] is in the subject, I just merged four other tickets into this one. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote:
How do we want to handle this[1] for maint releases? Do we: a) ignore it, let the users update from CPAN even with the next maint-5.26, or b) include the fix and only the fix. I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/ Tony [1] and other similar issues in the future |
From @iabynOn Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote:
I think its a subjective per-issue decision. In this case I think the -- |
1 similar comment
From @iabynOn Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote:
I think its a subjective per-issue decision. In this case I think the -- |
From @xsawyerxI agree. We should go with (b) here. On Thu, Aug 9, 2018 at 10:07 AM Dave Mitchell <davem@iabyn.com> wrote:
|
1 similar comment
From @xsawyerxI agree. We should go with (b) here. On Thu, Aug 9, 2018 at 10:07 AM Dave Mitchell <davem@iabyn.com> wrote:
|
From @tonycozIn blead/5.28 this was fixed in 91f84d6 (v5.28.0-RC2-3-g91f84d6f2b). The attached patch includes the backport of *only* the CVE fix to maint-5.26. An alternative might be to simply import Archive-Tar 2.28 (or 2.32) but we've typically stuck to minimal fixes for included CPAN modules. Since this issue is public, given two other votes I'll apply it immediately to maint-5.26 and make this ticket public. Tony |
From @tonycoz0001-perl-133250-backport-CVE-2018-12015-fix.patchFrom fe83582298e0746ff3b663110d5a6a4b299c96b8 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 20 Sep 2018 11:53:19 +1000
Subject: (perl #133250) backport CVE-2018-12015 fix
---
Porting/Maintainers.pl | 1 +
cpan/Archive-Tar/lib/Archive/Tar.pm | 17 ++++++++++++++++-
t/porting/customized.dat | 1 +
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl
index e9032a91f3..5f3b3141d1 100755
--- a/Porting/Maintainers.pl
+++ b/Porting/Maintainers.pl
@@ -126,6 +126,7 @@ use File::Glob qw(:case);
'EXCLUDED' => [
qw(t/07_ptardiff.t),
],
+ 'CUSTOMIZED' => [ qw(lib/Archive/Tar.pm) ], # CVE-2018-12015
},
'Attribute::Handlers' => {
diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
index d63e586317..00db612193 100644
--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
@@ -31,7 +31,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD
$DEBUG = 0;
$WARN = 1;
$FOLLOW_SYMLINK = 0;
-$VERSION = "2.24";
+$VERSION = "2.24_01";
$CHOWN = 1;
$CHMOD = 1;
$SAME_PERMISSIONS = $> == 0 ? 1 : 0;
@@ -845,6 +845,21 @@ sub _extract_file {
return;
}
+ ### If a file system already contains a block device with the same name as
+ ### the being extracted regular file, we would write the file's content
+ ### to the block device. So remove the existing file (block device) now.
+ ### If an archive contains multiple same-named entries, the last one
+ ### should replace the previous ones. So remove the old file now.
+ ### If the old entry is a symlink to a file outside of the CWD, the new
+ ### entry would create a file there. This is CVE-2018-12015
+ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+ if (-l $full || -e _) {
+ if (!unlink $full) {
+ $self->_error( qq[Could not remove old file '$full': $!] );
+ return;
+ }
+ }
+
if( length $entry->type && $entry->is_file ) {
my $fh = IO::File->new;
$fh->open( '>' . $full ) or (
diff --git a/t/porting/customized.dat b/t/porting/customized.dat
index 5014b3e210..7a5c7fc0b4 100644
--- a/t/porting/customized.dat
+++ b/t/porting/customized.dat
@@ -1,3 +1,4 @@
+Archive::Tar cpan/Archive-Tar/lib/Archive/Tar.pm e93f3f352b4820b3ccdc1f06cb82b2102fe1de3b
Digest cpan/Digest/Digest.pm 43f7f544cb11842b2f55c73e28930da50774e081
Encode cpan/Encode/Unicode/Unicode.pm 9749692c67f7d69083034de9184a93f070ab4799
ExtUtils::Constant cpan/ExtUtils-Constant/t/Constant.t a0369c919e216fb02767a637666bb4577ad79b02
--
2.11.0
|
From @arctonyc wrote:
I can't see an entry in the votes file, but please take this as my vote to merge to maint-5.26. Thanks, Tony! -- |
1 similar comment
From @arctonyc wrote:
I can't see an entry in the votes file, but please take this as my vote to merge to maint-5.26. Thanks, Tony! -- |
From @xsawyerxSame from me. On Fri, Sep 21, 2018, 13:07 Aaron Crane via RT <rt-comment@perl.org> wrote:
|
From @tonycozOn Fri, 21 Sep 2018 03:04:18 -0700, arc wrote:
Yeah, there's no corresponding commit in blead, since that included the full Applied as d0130b8. Leaving this open until 5.26.next is released. Tony |
@xsawyerx - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#133250 (status was 'resolved')
Searchable as RT133250$
The text was updated successfully, but these errors were encountered: