Skip Menu |
 

This queue is for tickets about the Archive-Tar CPAN distribution.

Report information
The Basics
Id: 125523
Status: open
Priority: 0/
Queue: Archive-Tar

People
Owner: Nobody in particular
Requestors: dom [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 2.26
Fixed in: (no value)



Subject: CVE-2018-12015 directory traversal vulnerability
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
Message-ID: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 1045
As reported to the Debian BTS[1] Archive-Tar has a symlink-related directory traversal vulnerability: ----- By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball. I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is: $ tar -tvvf traversal.tar.gz lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo -rw-r--r-- root/root 4 2018-06-05 18:55 moo $ pwd /home/jwilk $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo /tmp/moo ----- The attachment is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=900834;filename=traversal.tar.gz;msg=3 [1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-28028-1528439075-181.125523-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 858
Download (untitled) / with headers
text/plain 858b
Dne Čt 07.čen.2018 17:31:29, DOM napsal(a): Show quoted text
> $ tar -tvvf traversal.tar.gz > lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo > -rw-r--r-- root/root 4 2018-06-05 18:55 moo >
Tar archive can contain multiple file entries with the same name. GNU tar info page reads: [...] files are extracted from an archive in the order in which they were archived. Thus, when the archive is extracted, a file archived later in time will replace a file of the same name which was archived earlier [...] When you extract the archive, the older version of the file will be extracted first, and then replaced by the newer version when it is extracted. It looks like first Archive::Tar creates the symlink (first entry) and then writes the regular file content into the symlink (second entry). GNU tar indeed replaces the symlink with a regular file.
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org>
Content-Type: multipart/mixed; boundary="----------=_1528444972-14810-2"
Message-ID: <rt-4.0.18-14810-1528444972-303.125523-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 324
Download (untitled) / with headers
text/plain 324b
Dne Čt 07.čen.2018 17:31:29, DOM napsal(a): Show quoted text
> As reported to the Debian BTS[1] Archive-Tar has a symlink-related > directory traversal vulnerability: >
Attached patch simply removes every existing (non-directory) file that's going to be extracted. Even in non-secure mode. Is it fine, or too strict, or even dangerous?
MIME-Version: 1.0
Subject: 0001-Remove-existing-files-before-overwriting-them.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: application/octet-stream; name="0001-Remove-existing-files-before-overwriting-them.patch"
Content-Disposition: inline; filename="0001-Remove-existing-files-before-overwriting-them.patch"
Content-Transfer-Encoding: base64
Content-Length: 1713
From d23726d0d3d30ce451c6eadda41a2df5446ead27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Fri, 8 Jun 2018 09:53:16 +0200 Subject: [PATCH] Remove existing files before overwriting them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Archive should extract only the latest same-named entry. Extracted regular file should not be writtent into existing block device (or any other one). https://rt.cpan.org/Ticket/Display.html?id=125523 Signed-off-by: Petr Písař <ppisar@redhat.com> --- lib/Archive/Tar.pm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/lib/Archive/Tar.pm b/lib/Archive/Tar.pm index 9ac2763..adfb433 100644 --- a/lib/Archive/Tar.pm +++ b/lib/Archive/Tar.pm @@ -845,6 +845,20 @@ sub _extract_file { return; } + ### If a file system already contains a block device with the same name as + ### the being extracted regular file, we would write the file's content + ### to the block device. So remove the existing file (block device) now. + ### If an archive contains multiple same-named entries, the last one + ### should replace the previous ones. So remove the old file now. + ### If the old entry is a symlink to a file outside of the CWD, the new + ### entry would create a file there. This is CVE-2018-12015 + ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. + if (-l $full || -e _) { + if (!unlink $full) { + $self->_error( qq[Could not remove old file '$full': $!] ); + return; + } + } if( length $entry->type && $entry->is_file ) { my $fh = IO::File->new; $fh->open( $full, '>' ) or ( -- 2.14.4
MIME-Version: 1.0
X-Spam-Status: No, score=-6.033 tagged_above=-99.9 required=10 tests=[AWL=-0.133, BAYES_00=-1.9, FROM_OUR_RT=-4] autolearn=ham
In-Reply-To: <rt-4.0.18-14810-1528444973-1289.125523-6-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Cpan.org: This message routed through the cpan.org mail forwarding service. Please use PAUSE pause.perl.org to configure your delivery settings.
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-125523 [...] rt.cpan.org> <rt-4.0.18-28401-1528407089-203.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444973-1289.125523-6-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20180608135130.4xhh5rzmskplp6r6 [...] urchin.earth.li>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -6.033
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 2EFF52403A3 for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Fri, 8 Jun 2018 10:22:47 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfNhItbVGb+l for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Fri, 8 Jun 2018 10:22:45 -0400 (EDT)
Received: from xx1.develooper.com (xx1.develooper.com [207.171.7.115]) by hipster.bestpractical.com (Postfix) with ESMTPS id 334CC2403A1 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 10:22:44 -0400 (EDT)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 9F3F211F33B for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 07:22:43 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id E7ED211F409 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 07:22:40 -0700 (PDT)
Received: from urchin.earth.li (urchin.earth.li [185.73.44.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 302BD11F33B for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 07:22:39 -0700 (PDT)
Received: from dom by urchin.earth.li with local (Exim 4.89) (envelope-from <dom [...] urchin.earth.li>) id 1fRHne-000898-La for bug-Archive-Tar [...] rt.cpan.org; Fri, 08 Jun 2018 14:51:30 +0100
Delivered-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #125523] CVE-2018-12015 directory traversal vulnerability
User-Agent: NeoMutt/20170113 (1.7.2)
Return-Path: <dom [...] urchin.earth.li>
X-Original-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
X-RT-Mail-Extension: archive-tar
Date: Fri, 8 Jun 2018 14:51:30 +0100
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_600_699 0, BODY_SIZE_7000_LESS 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, REFERENCES 0, SINGLE_URI_IN_BODY 0, SPF_NONE 0, URI_ENDS_IN_HTML 0, URI_WITH_PATH_ONLY 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_MSGID 0, __HTTPS_URI 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0, __NO_HTML_TAG_RAW 0, __REFERENCES 0, __SANE_MSGID 0, __SINGLE_URI_TEXT 0, __SUBJ_ALPHA_NEGATE 0, __SUBJ_REPLY 0, __TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0, __TO_REAL_NAMES 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0, __USER_AGENT 0, __zen.spamhaus.org_ERROR '
X-Spam-Level:
X-Greylist: delayed 1867 seconds by postgrey-1.34 at xx1.develooper.com; Fri, 08 Jun 2018 07:22:40 PDT
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.6.8.141817
To: Petr Pisar via RT <bug-Archive-Tar [...] rt.cpan.org>
Content-Transfer-Encoding: 8bit
From: Dominic Hargreaves <dom [...] earth.li>
RT-Message-ID: <rt-4.0.18-19419-1528467768-1474.125523-0-0 [...] rt.cpan.org>
Content-Length: 606
Download (untitled) / with headers
text/plain 606b
On Fri, Jun 08, 2018 at 04:02:58AM -0400, Petr Pisar via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=125523 > > > Dne Čt 07.čen.2018 17:31:29, DOM napsal(a):
> > As reported to the Debian BTS[1] Archive-Tar has a symlink-related > > directory traversal vulnerability: > >
> Attached patch simply removes every existing (non-directory) file that's going to be extracted. Even in non-secure mode. > > Is it fine, or too strict, or even dangerous?
This looks good to me, but I'd like a second opinion from someone more familiar with the code before applying to Debian. Thanks! Dominic.
MIME-Version: 1.0
X-Cpan.org: This message routed through the cpan.org mail forwarding service. Please use PAUSE pause.perl.org to configure your delivery settings.
X-Spam-Flag: NO
X-Razorgate-Vade: gggruggvucftvghtrhhoucdtuddrgedthedrjeelgdekgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehgtderredtredvnecuhfhrohhmpeevhhhrihhsucdkuehinhfiqfhskdcuhghilhhlihgrmhhsuceotghhrhhishessghinhhgohhsnhgvthdrtghordhukheqnecuffhomhgrihhnpegtphgrnhdrohhrghdpmhgvthgrtghprghnrdhorhhgpdhguhhmsgihnhgvthdrohhrghdruhhkpdhgihhthhhusgdrtghomhenucfkphepkeeirddukeefrddugeekrddvhedvnecurfgrrhgrmhephhgvlhhopegsihhnghhoshhnvghtrdgtohdruhhkpdhinhgvthepkeeirddukeefrddugeekrddvhedvpdhmrghilhhfrhhomhepoegthhhrihhssegsihhnghhoshhnvghtrdgtohdruhhkqedprhgtphhtthhopeeosghughdqtehrtghhihhvvgdqvfgrrhesrhhtrdgtphgrnhdrohhrgheqnecuvehluhhsthgvrhfuihiivgeptd
X-Razorgate-Vade: gggruggvucftvghtrhhoucdtuddrgedthedrjeelgdekgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehgtderredtredvnecuhfhrohhmpeevhhhrihhsucdkuehinhfiqfhskdcuhghilhhlihgrmhhsuceotghhrhhishessghinhhgohhsnhgvthdrtghordhukheqnecuffhomhgrihhnpegtphgrnhdrohhrghdpmhgvthgrtghprghnrdhorhhgpdhguhhmsgihnhgvthdrohhrghdruhhkpdhgihhthhhusgdrtghomhenucfkphepkeeirddukeefrddugeekrddvhedvnecurfgrrhgrmhephhgvlhhopegsihhnghhoshhnvghtrdgtohdruhhkpdhinhgvthepkeeirddukeefrddugeekrddvhedvpdhmrghilhhfrhhomhepoegthhhrihhssegsihhnghhoshhnvghtrdgtohdruhhkqedprhgtphhtthhopeeosghughdqtehrtghhihhvvgdqvfgrrhesrhhtrdgtphgrnhdrohhrgheqnecuvehluhhsthgvrhfuihiivgepud
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Content-Type: multipart/signed; boundary="HlL+5n6rz5pIUxbD"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Spam-Score: -5.9
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 2BA8A2402CC for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Fri, 8 Jun 2018 11:31:21 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzN29Qycabm0 for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Fri, 8 Jun 2018 11:31:14 -0400 (EDT)
Received: from xx1.develooper.com (xx1.develooper.com [207.171.7.115]) by hipster.bestpractical.com (Postfix) with ESMTPS id BB8FF240268 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 11:31:13 -0400 (EDT)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 605C911F7BE for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 08:31:12 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 7A9CE11F7E4 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 08:31:08 -0700 (PDT)
Received: from rgout04.bt.lon5.cpcloud.co.uk (rgout0404.bt.lon5.cpcloud.co.uk [65.20.0.217]) by xx1.develooper.com (Postfix) with ESMTP id 2D72011F7B7 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 8 Jun 2018 08:31:02 -0700 (PDT)
Received: from bingosnet.co.uk (86.183.148.252) by rgout04.bt.lon5.cpcloud.co.uk (9.0.019.26-1) (authenticated as kidney.bingos [...] btinternet.com) id 5B0550EE01614EB5 for bug-Archive-Tar [...] rt.cpan.org; Fri, 8 Jun 2018 16:29:48 +0100
Received: from bingos by llestr.bingosnet.co.uk with local (Exim 4.82) (envelope-from <chris [...] bingosnet.co.uk>) id 1fRJKl-0000gp-OH for bug-Archive-Tar [...] rt.cpan.org; Fri, 08 Jun 2018 16:29:47 +0100
Delivered-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #125523] CVE-2018-12015 directory traversal vulnerability
Date: Fri, 8 Jun 2018 16:29:47 +0100
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_1099 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, FROM_NAME_PHRASE 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, REFERENCES 0, SPF_NONE 0, __ANY_URI 0, __ATTACHMENT_SIZE_0_10K 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FORWARDED_MSG 0, __HAS_ATTACHMENT 0, __HAS_ATTACHMENT1 0, __HAS_ATTACHMENT2 0, __HAS_FROM 0, __HAS_MSGID 0, __HTTPS_URI 0, __IN_REP_TO 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_URI_TEXT 0, __NO_HTML_TAG_RAW 0, __REFERENCES 0, __SANE_MSGID 0, __SUBJ_ALPHA_NEGATE 0, __SUBJ_REPLY 0, __TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0, __TO_NO_NAME 0, __TO_REAL_NAMES 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NS , __URI_WITHOUT_PATH 0, __URI_WITH_PATH 0, __USER_AGENT 0, __blackholes.mail-abuse.org_TIMEOUT , __zen.spamhaus.org_ERROR '
X-Owm-Env-Sender: kidney.bingos [...] btinternet.com
X-Spam-Level:
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.6.8.152416
To: "dom [...] earth.li via RT" <bug-Archive-Tar [...] rt.cpan.org>
In-Reply-To: <rt-4.0.18-19419-1528467768-772.125523-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.9 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, FROM_OUR_RT=-4] autolearn=ham
Content-Disposition: inline
X-Owm-Source-Ip: 86.183.148.252 (GB)
X-RT-Interface: API
References: <RT-Ticket-125523 [...] rt.cpan.org> <rt-4.0.18-28401-1528407089-203.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444973-1289.125523-6-0 [...] rt.cpan.org> <20180608135130.4xhh5rzmskplp6r6 [...] urchin.earth.li> <rt-4.0.18-19419-1528467768-772.125523-5-0 [...] rt.cpan.org>
Message-ID: <20180608152947.GA2629 [...] bingosnet.co.uk>
X-Razorgate-Vade-Verdict: clean 0
X-Razorgate-Vade-Verdict: clean 0
X-Razorgate-Vade-Verdict: clean 0
X-Razorgate-Vade-Verdict: clean 0
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Vadesecure-Score: verdict=clean score=0/300, class=clean
X-Vadesecure-Score: verdict=clean score=0/300, class=clean
Return-Path: <chris [...] bingosnet.co.uk>
X-SNCR-Vadesecure: CLEAN
X-SNCR-Vadesecure: CLEAN
X-RT-Mail-Extension: archive-tar
X-Original-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
X-PMX-Perl: Suspicious Attachment
X-Greylist: delayed 72 seconds by postgrey-1.34 at xx1.develooper.com; Fri, 08 Jun 2018 08:31:03 PDT
X-Razorgate-Vade-Classification: clean
X-Razorgate-Vade-Classification: clean
X-Razorgate-Vade-Classification: clean
X-Razorgate-Vade-Classification: clean
From: Chris 'BinGOs' Williams <chris [...] bingosnet.co.uk>
RT-Message-ID: <rt-4.0.18-7869-1528471882-341.125523-0-0 [...] rt.cpan.org>
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 523
Download (untitled) / with headers
text/plain 523b
On Fri, Jun 08, 2018 at 10:22:48AM -0400, dom@earth.li via RT wrote: Show quoted text
> > This looks good to me, but I'd like a second opinion from someone more > familiar with the code before applying to Debian. > > Thanks! > Dominic.
I have applied it as https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 and released 2.28 to CPAN: https://metacpan.org/release/BINGOS/Archive-Tar-2.28 Cheers, -- Chris Williams aka BinGOs PGP ID 0x4658671F http://www.gumbynet.org.uk ==========================
Content-Description: Digital signature
Content-Type: application/pgp-signature; name="signature.asc"
Content-Length: 181
Download signature.asc
application/pgp-signature 181b

Message body not shown because it is not plain text.

MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-7869-1528471882-341.125523-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-125523 [...] rt.cpan.org> <rt-4.0.18-28401-1528407089-203.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444973-1289.125523-6-0 [...] rt.cpan.org> <20180608135130.4xhh5rzmskplp6r6 [...] urchin.earth.li> <rt-4.0.18-19419-1528467768-772.125523-5-0 [...] rt.cpan.org> <20180608152947.GA2629 [...] bingosnet.co.uk> <rt-4.0.18-7869-1528471882-341.125523-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-8455-1528586552-995.125523-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 538
Download (untitled) / with headers
text/plain 538b
On 2018-06-08 08:31:22, chris@bingosnet.co.uk wrote: Show quoted text
> On Fri, Jun 08, 2018 at 10:22:48AM -0400, dom@earth.li via RT wrote:
> > > > This looks good to me, but I'd like a second opinion from someone > > more > > familiar with the code before applying to Debian. > > > > Thanks! > > Dominic.
> > I have applied it as https://github.com/jib/archive-tar- > new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 > > and released 2.28 to CPAN: > https://metacpan.org/release/BINGOS/Archive-Tar-2.28 > > Cheers,
Can this ticket be closed now?
MIME-Version: 1.0
X-Spam-Status: No, score=-6.027 tagged_above=-99.9 required=10 tests=[AWL=-0.127, BAYES_00=-1.9, FROM_OUR_RT=-4] autolearn=ham
In-Reply-To: <rt-4.0.18-7869-1528471883-1085.125523-6-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Cpan.org: This message routed through the cpan.org mail forwarding service. Please use PAUSE pause.perl.org to configure your delivery settings.
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-125523 [...] rt.cpan.org> <rt-4.0.18-28401-1528407089-203.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444973-1289.125523-6-0 [...] rt.cpan.org> <20180608135130.4xhh5rzmskplp6r6 [...] urchin.earth.li> <rt-4.0.18-19419-1528467768-772.125523-5-0 [...] rt.cpan.org> <20180608152947.GA2629 [...] bingosnet.co.uk> <rt-4.0.18-7869-1528471883-1085.125523-6-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20180609232943.ax5vmsyjnucgz6vu [...] urchin.earth.li>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -6.027
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id AB724240DF0 for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Sat, 9 Jun 2018 19:29:51 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NfVzZmIHDLaf for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Sat, 9 Jun 2018 19:29:50 -0400 (EDT)
Received: from xx1.develooper.com (xx1.develooper.com [207.171.7.115]) by hipster.bestpractical.com (Postfix) with ESMTPS id 65380240DF2 for <bug-Archive-Tar [...] rt.cpan.org>; Sat, 9 Jun 2018 19:29:50 -0400 (EDT)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 4E8AC66FF9 for <bug-Archive-Tar [...] rt.cpan.org>; Sat, 9 Jun 2018 16:29:49 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id B372D66FFA for <bug-Archive-Tar [...] rt.cpan.org>; Sat, 9 Jun 2018 16:29:46 -0700 (PDT)
Received: from urchin.earth.li (urchin.earth.li [185.73.44.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 1A96766FF9 for <bug-Archive-Tar [...] rt.cpan.org>; Sat, 9 Jun 2018 16:29:45 -0700 (PDT)
Received: from dom by urchin.earth.li with local (Exim 4.89) (envelope-from <dom [...] urchin.earth.li>) id 1fRnIl-0003eo-Bq for bug-Archive-Tar [...] rt.cpan.org; Sun, 10 Jun 2018 00:29:43 +0100
Delivered-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #125523] CVE-2018-12015 directory traversal vulnerability
User-Agent: NeoMutt/20170113 (1.7.2)
Return-Path: <dom [...] urchin.earth.li>
X-Original-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
X-RT-Mail-Extension: archive-tar
Date: Sun, 10 Jun 2018 00:29:43 +0100
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_600_699 0, BODY_SIZE_7000_LESS 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, REFERENCES 0, SPF_NONE 0, URI_ENDS_IN_HTML 0, URI_WITH_PATH_ONLY 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_MSGID 0, __HTTPS_URI 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0, __MULTIPLE_URI_TEXT 0, __NO_HTML_TAG_RAW 0, __REFERENCES 0, __SANE_MSGID 0, __SUBJ_ALPHA_NEGATE 0, __SUBJ_REPLY 0, __TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0, __TO_NO_NAME 0, __TO_REAL_NAMES 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0, __USER_AGENT 0, __zen.spamhaus.org_ERROR '
X-Spam-Level:
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.6.9.232116
To: "chris [...] bingosnet.co.uk via RT" <bug-Archive-Tar [...] rt.cpan.org>
From: Dominic Hargreaves <dom [...] earth.li>
RT-Message-ID: <rt-4.0.18-20813-1528586992-837.125523-0-0 [...] rt.cpan.org>
Content-Length: 637
Download (untitled) / with headers
text/plain 637b
On Fri, Jun 08, 2018 at 11:31:23AM -0400, chris@bingosnet.co.uk via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=125523 > > > On Fri, Jun 08, 2018 at 10:22:48AM -0400, dom@earth.li via RT wrote:
> > > > This looks good to me, but I'd like a second opinion from someone more > > familiar with the code before applying to Debian. > > > > Thanks! > > Dominic.
> > I have applied it as https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 > > and released 2.28 to CPAN: https://metacpan.org/release/BINGOS/Archive-Tar-2.28
Thanks! We're rolling this out in Debian now. Best, Dominic.
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-14810-1528444972-303.125523-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444972-303.125523-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-14824-1528946270-1381.125523-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 1038
On Fri Jun 08 04:02:52 2018, ppisar wrote: Show quoted text
> Dne Čt 07.čen.2018 17:31:29, DOM napsal(a):
> > As reported to the Debian BTS[1] Archive-Tar has a symlink-related > > directory traversal vulnerability: > >
> Attached patch simply removes every existing (non-directory) file > that's going to be extracted. Even in non-secure mode. > > Is it fine, or too strict, or even dangerous? >
Doesn't this just shorten the race and yet still have the same problem? If the attacker does something like: perl -e 'symlink "attack_vector" "to.extract" while 1' Then I would think there's a reasonable chance that the symlink will get created between the unlink and the open while Archive::Tar is busy checking the length, if it is a file, and instantiating an IO::File object. I don't think the unlink is a negative, in that it avoids a case where you might run out of space to extract two copies of the file, but shouldn't this use a tempfile with a reasonably random name to avoid the race and then atomically rename it to the correct name?
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-14824-1528946270-1381.125523-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444972-303.125523-0-0 [...] rt.cpan.org> <rt-4.0.18-14824-1528946270-1381.125523-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-30867-1529031525-1829.125523-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 714
Download (untitled) / with headers
text/plain 714b
On Wed Jun 13 23:17:50 2018, ANDREW wrote: Show quoted text
> On Fri Jun 08 04:02:52 2018, ppisar wrote:
> > Dne Čt 07.čen.2018 17:31:29, DOM napsal(a):
> > > As reported to the Debian BTS[1] Archive-Tar has a symlink-related > > > directory traversal vulnerability: > > >
> > Attached patch simply removes every existing (non-directory) file > > that's going to be extracted. Even in non-secure mode. > > > > Is it fine, or too strict, or even dangerous? > >
Talking to ewilhelm at pdx.pm, the solution is probably to use the O_EXCL flag for the open. This is not guaranteed to work on NFS, so you would also need a lockfile for that. No idea what guarantees you're looking for with this. https://man.openbsd.org/open#O_EXCL
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-30867-1529031525-1829.125523-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <rt-4.0.18-28401-1528407089-203.0-0-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444972-303.125523-0-0 [...] rt.cpan.org> <rt-4.0.18-14824-1528946270-1381.125523-0-0 [...] rt.cpan.org> <rt-4.0.18-30867-1529031525-1829.125523-0-0 [...] rt.cpan.org>
Content-Type: multipart/mixed; boundary="----------=_1529103474-24103-3"
Message-ID: <rt-4.0.18-24103-1529103474-1028.125523-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
RT-Send-CC: dom [...] earth.li, chris [...] bingosnet.co.uk
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 971
Download (untitled) / with headers
text/plain 971b
On Thu Jun 14 22:58:45 2018, ANDREW wrote: Show quoted text
> On Wed Jun 13 23:17:50 2018, ANDREW wrote:
> > On Fri Jun 08 04:02:52 2018, ppisar wrote:
> > > Dne Čt 07.čen.2018 17:31:29, DOM napsal(a):
> > > > As reported to the Debian BTS[1] Archive-Tar has a symlink- > > > > related > > > > directory traversal vulnerability: > > > >
> > > Attached patch simply removes every existing (non-directory) file > > > that's going to be extracted. Even in non-secure mode. > > > > > > Is it fine, or too strict, or even dangerous? > > >
> > Talking to ewilhelm at pdx.pm, the solution is probably to use the > O_EXCL flag for the open. This is not guaranteed to work on NFS, so > you would also need a lockfile for that. No idea what guarantees > you're looking for with this. > > https://man.openbsd.org/open#O_EXCL
Here is a patch that adds the O_EXCL flag to the open call. Removing the unlink patch with just this one shows that it works, as the test suite extracts over files.
MIME-Version: 1.0
Subject: 0001-Extract-files-with-O_EXCL.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: text/x-patch; name="0001-Extract-files-with-O_EXCL.patch"
Content-Disposition: inline; filename="0001-Extract-files-with-O_EXCL.patch"
Content-Transfer-Encoding: binary
Content-Length: 962
From 0766551dd0298b5216699abf3f805c59b92c7840 Mon Sep 17 00:00:00 2001 From: Andrew Hewus Fresh <andrew@afresh1.com> Date: Fri, 15 Jun 2018 15:47:49 -0700 Subject: [PATCH] Extract files with O_EXCL This will cause the open to die if the file exists, avoiding a race condition and security risk. Relates to commit ae65651eab053fc6dc4590dbb863a268215c1fc5 and https://rt.cpan.org/Ticket/Display.html?id=125523 --- lib/Archive/Tar.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Archive/Tar.pm b/lib/Archive/Tar.pm index 5950b3e..a3aa577 100644 --- a/lib/Archive/Tar.pm +++ b/lib/Archive/Tar.pm @@ -861,7 +861,7 @@ sub _extract_file { } if( length $entry->type && $entry->is_file ) { my $fh = IO::File->new; - $fh->open( $full, '>' ) or ( + $fh->open( $full, O_WRONLY|O_CREAT|O_EXCL ) or ( $self->_error( qq[Could not open file '$full': $!] ), return ); -- 2.16.4
MIME-Version: 1.0
X-Spam-Status: No, score=-6.022 tagged_above=-99.9 required=10 tests=[AWL=-0.122, BAYES_00=-1.9, FROM_OUR_RT=-4] autolearn=ham
In-Reply-To: <rt-4.0.18-14824-1528946270-1030.125523-6-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Cpan.org: This message routed through the cpan.org mail forwarding service. Please use PAUSE pause.perl.org to configure your delivery settings.
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-125523 [...] rt.cpan.org> <rt-4.0.18-28401-1528407089-203.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444972-303.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14824-1528946270-1030.125523-6-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20180616001528.xjofcf2ibi53spyi [...] urchin.earth.li>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -6.022
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 602242403A8 for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Fri, 15 Jun 2018 20:15:56 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SU38G7fiu1ZR for <cpan-bug+Archive-Tar [...] hipster.bestpractical.com>; Fri, 15 Jun 2018 20:15:51 -0400 (EDT)
Received: from xx1.develooper.com (xx1.develooper.com [207.171.7.115]) by hipster.bestpractical.com (Postfix) with ESMTPS id F150424039C for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 15 Jun 2018 20:15:49 -0400 (EDT)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 58429120EB1 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 15 Jun 2018 17:15:48 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 74566120ED4 for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 15 Jun 2018 17:15:45 -0700 (PDT)
Received: from urchin.earth.li (urchin.earth.li [185.73.44.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id BC6DE120FBF for <bug-Archive-Tar [...] rt.cpan.org>; Fri, 15 Jun 2018 17:15:36 -0700 (PDT)
Received: from dom by urchin.earth.li with local (Exim 4.89) (envelope-from <dom [...] urchin.earth.li>) id 1fTysK-00038y-4P for bug-Archive-Tar [...] rt.cpan.org; Sat, 16 Jun 2018 01:15:28 +0100
Delivered-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #125523] CVE-2018-12015 directory traversal vulnerability
User-Agent: NeoMutt/20170113 (1.7.2)
Return-Path: <dom [...] urchin.earth.li>
X-Original-To: cpan-bug+Archive-Tar [...] hipster.bestpractical.com
X-RT-Mail-Extension: archive-tar
Date: Sat, 16 Jun 2018 01:15:28 +0100
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, SUPERLONG_LINE 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1700_1799 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, REFERENCES 0, SINGLE_URI_IN_BODY 0, SPF_NONE 0, URI_ENDS_IN_HTML 0, URI_WITH_PATH_ONLY 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FORWARDED_MSG 0, __FRAUD_BADTHINGS 0, __HAS_FROM 0, __HAS_MSGID 0, __HTTPS_URI 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0, __NO_HTML_TAG_RAW 0, __REFERENCES 0, __SANE_MSGID 0, __SINGLE_URI_TEXT 0, __SUBJ_ALPHA_NEGATE 0, __SUBJ_REPLY 0, __TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0, __TO_REAL_NAMES 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0, __USER_AGENT 0, __zen.spamhaus.org_ERROR '
X-Spam-Level:
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.6.16.615
To: Andrew Fresh via RT <bug-Archive-Tar [...] rt.cpan.org>
Content-Transfer-Encoding: 8bit
From: Dominic Hargreaves <dom [...] earth.li>
RT-Message-ID: <rt-4.0.18-369-1529108157-1377.125523-0-0 [...] rt.cpan.org>
Content-Length: 1733
Download (untitled) / with headers
text/plain 1.6k
On Wed, Jun 13, 2018 at 11:17:51PM -0400, Andrew Fresh via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=125523 > > > On Fri Jun 08 04:02:52 2018, ppisar wrote:
> > Dne Čt 07.čen.2018 17:31:29, DOM napsal(a):
> > > As reported to the Debian BTS[1] Archive-Tar has a symlink-related > > > directory traversal vulnerability: > > >
> > Attached patch simply removes every existing (non-directory) file > > that's going to be extracted. Even in non-secure mode. > > > > Is it fine, or too strict, or even dangerous? > >
> > > Doesn't this just shorten the race and yet still have the same problem? > > If the attacker does something like: > perl -e 'symlink "attack_vector" "to.extract" while 1'
The attack referred to in this ticket is not to do with people extracting into an attacker controlled directory, but people extracting an attacker-controlled archive. So there is no change for the attacker to run this code. Show quoted text
> Then I would think there's a reasonable chance that the symlink will get created between the unlink and the open while Archive::Tar is busy checking the length, if it is a file, and instantiating an IO::File object. > > I don't think the unlink is a negative, in that it avoids a case where you might run out of space to extract two copies of the file, but shouldn't this use a tempfile with a reasonably random name to avoid the race and then atomically rename it to the correct name?
This isn't to say that the attack you describe isn't valid, but it would be much, much harder to pull off, since it would require the victim to be unpacking an archive - and this isn't a bug in Archive-Tar so much as a user behaviour problem, right? Or am I misunderstanding completely? Dominic.
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-369-1529108157-1377.125523-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-125523 [...] rt.cpan.org> <rt-4.0.18-28401-1528407089-203.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14810-1528444972-303.125523-6-0 [...] rt.cpan.org> <rt-4.0.18-14824-1528946270-1030.125523-6-0 [...] rt.cpan.org> <20180616001528.xjofcf2ibi53spyi [...] urchin.earth.li> <rt-4.0.18-369-1529108157-1377.125523-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-29383-1529114014-1194.125523-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
RT-Send-CC: dom [...] earth.li
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 709
Download (untitled) / with headers
text/plain 709b
On Fri Jun 15 20:15:57 2018, dom@earth.li wrote: Show quoted text
> On Wed, Jun 13, 2018 at 11:17:51PM -0400, Andrew Fresh via RT wrote: > This isn't to say that the attack you describe isn't valid, but it > would > be much, much harder to pull off, since it would require the victim to > be > unpacking an archive - and this isn't a bug in Archive-Tar so much as > a > user behaviour problem, right? > > Or am I misunderstanding completely? > > Dominic.
I think you are correct, I must have I misunderstood the problem when first reading the ticket. The existing patch should solve the problem of a malicious tar file extracting outside of the current working directory with a symlink. Thank you for explaining again.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.