-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-12015: Archive::Tar: directory traversal #16580
Comments
From @jwilkBy default, the Archive::Tar module doesn't allow extracting files Proof of concept, which makes Archive::Tar create /tmp/moo, regardless $ tar -tvvf traversal.tar.gz $ pwd $ ls /tmp/moo $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo Tested with Perl v5.26.1. -- |
From @jwilk |
From @tonycozOn Sat, Sep 30, 2017 at 12:23:38PM -0700, Jakub Wilk wrote:
This needs to be reported to the Archive::Tar maintainer, not here. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @jmdhHi all, Please see this report of a directory traversal vulnerability in Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and I expect the Debian security team (in To:) can assist by supplying a Note: I'm reporting this in private, but it was already publically Dominic. ----- Forwarded message from Jakub Wilk <jwilk@jwilk.net> ----- Date: Tue, 5 Jun 2018 19:03:33 +0200 Source: perl By default, the Archive::Tar module doesn't allow extracting files outside the I've attached proof of concept tarball, which makes Archive::Tar create $ tar -tvvf traversal.tar.gz $ pwd $ ls /tmp/moo $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo -- _______________________________________________ ----- End forwarded message ----- |
From carnil@debian.orgHi Dominic, On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
I just have requested a CVE from MITRE, will ping here again when I Regards, |
From carnil@debian.orgHi! On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
MITRE has assigned CVE-2018-12015 for this issue. Will look if I find time to write to oss-security as well on the CVE Is there a (public) upstream bugreport on it? Regards, |
From @jmdhOn Thu, Jun 07, 2018 at 03:13:34PM +0200, Salvatore Bonaccorso wrote:
Thanks. I've just created one here: https://rt.cpan.org/Ticket/Display.html?id=125523 I was holding off on that but since it's already public in the BTS, There was some indication that someone from p5p-security was looking into Cheers, |
From @jmdhOn Thu, Jun 07, 2018 at 10:33:05PM +0100, Dominic Hargreaves wrote:
There's now a proposed patch there from Petr at Redhat. Any chance someone Thanks! |
From @tonycozOn Fri, 08 Jun 2018 06:52:40 -0700, dom wrote:
Chris has released a 2.28 with the fix: https://metacpan.org/release/BINGOS/Archive-Tar-2.28 Please ensure [perl #133250] is in the subject, I just merged four other tickets into this one. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote:
How do we want to handle this[1] for maint releases? Do we: a) ignore it, let the users update from CPAN even with the next maint-5.26, or b) include the fix and only the fix. I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/ Tony [1] and other similar issues in the future |
From @iabynOn Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote:
I think its a subjective per-issue decision. In this case I think the -- |
1 similar comment
From @iabynOn Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote:
I think its a subjective per-issue decision. In this case I think the -- |
From @xsawyerxI agree. We should go with (b) here. On Thu, Aug 9, 2018 at 10:07 AM Dave Mitchell <davem@iabyn.com> wrote:
|
1 similar comment
From @xsawyerxI agree. We should go with (b) here. On Thu, Aug 9, 2018 at 10:07 AM Dave Mitchell <davem@iabyn.com> wrote:
|
From @tonycozIn blead/5.28 this was fixed in 91f84d6 (v5.28.0-RC2-3-g91f84d6f2b). The attached patch includes the backport of *only* the CVE fix to maint-5.26. An alternative might be to simply import Archive-Tar 2.28 (or 2.32) but we've typically stuck to minimal fixes for included CPAN modules. Since this issue is public, given two other votes I'll apply it immediately to maint-5.26 and make this ticket public. Tony |
From @tonycoz0001-perl-133250-backport-CVE-2018-12015-fix.patchFrom fe83582298e0746ff3b663110d5a6a4b299c96b8 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 20 Sep 2018 11:53:19 +1000
Subject: (perl #133250) backport CVE-2018-12015 fix
---
Porting/Maintainers.pl | 1 +
cpan/Archive-Tar/lib/Archive/Tar.pm | 17 ++++++++++++++++-
t/porting/customized.dat | 1 +
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl
index e9032a91f3..5f3b3141d1 100755
--- a/Porting/Maintainers.pl
+++ b/Porting/Maintainers.pl
@@ -126,6 +126,7 @@ use File::Glob qw(:case);
'EXCLUDED' => [
qw(t/07_ptardiff.t),
],
+ 'CUSTOMIZED' => [ qw(lib/Archive/Tar.pm) ], # CVE-2018-12015
},
'Attribute::Handlers' => {
diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
index d63e586317..00db612193 100644
--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
@@ -31,7 +31,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD
$DEBUG = 0;
$WARN = 1;
$FOLLOW_SYMLINK = 0;
-$VERSION = "2.24";
+$VERSION = "2.24_01";
$CHOWN = 1;
$CHMOD = 1;
$SAME_PERMISSIONS = $> == 0 ? 1 : 0;
@@ -845,6 +845,21 @@ sub _extract_file {
return;
}
+ ### If a file system already contains a block device with the same name as
+ ### the being extracted regular file, we would write the file's content
+ ### to the block device. So remove the existing file (block device) now.
+ ### If an archive contains multiple same-named entries, the last one
+ ### should replace the previous ones. So remove the old file now.
+ ### If the old entry is a symlink to a file outside of the CWD, the new
+ ### entry would create a file there. This is CVE-2018-12015
+ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+ if (-l $full || -e _) {
+ if (!unlink $full) {
+ $self->_error( qq[Could not remove old file '$full': $!] );
+ return;
+ }
+ }
+
if( length $entry->type && $entry->is_file ) {
my $fh = IO::File->new;
$fh->open( '>' . $full ) or (
diff --git a/t/porting/customized.dat b/t/porting/customized.dat
index 5014b3e210..7a5c7fc0b4 100644
--- a/t/porting/customized.dat
+++ b/t/porting/customized.dat
@@ -1,3 +1,4 @@
+Archive::Tar cpan/Archive-Tar/lib/Archive/Tar.pm e93f3f352b4820b3ccdc1f06cb82b2102fe1de3b
Digest cpan/Digest/Digest.pm 43f7f544cb11842b2f55c73e28930da50774e081
Encode cpan/Encode/Unicode/Unicode.pm 9749692c67f7d69083034de9184a93f070ab4799
ExtUtils::Constant cpan/ExtUtils-Constant/t/Constant.t a0369c919e216fb02767a637666bb4577ad79b02
--
2.11.0
|
From @arctonyc wrote:
I can't see an entry in the votes file, but please take this as my vote to merge to maint-5.26. Thanks, Tony! -- |
1 similar comment
From @arctonyc wrote:
I can't see an entry in the votes file, but please take this as my vote to merge to maint-5.26. Thanks, Tony! -- |
From @xsawyerxSame from me. On Fri, Sep 21, 2018, 13:07 Aaron Crane via RT <rt-comment@perl.org> wrote:
|
From @tonycozOn Fri, 21 Sep 2018 03:04:18 -0700, arc wrote:
Yeah, there's no corresponding commit in blead, since that included the full Applied as d0130b8. Leaving this open until 5.26.next is released. Tony |
@xsawyerx - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#133250 (status was 'resolved')
Searchable as RT133250$
The text was updated successfully, but these errors were encountered: