CVE-2018-12015: Directory Traversal in Archive::Tar

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE-2018-12015: Directory Traversal in Archive::Tar

Silamael
Hi,


The version of Archive::Tar part of the base system's Perl contains
CVE-2018-12015:

Original bug report: https://rt.cpan.org/Public/Bug/Display.html?id=125523

Original commit with the fix:
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 


The vulnerability was fixed in version 2.28 of Archive::Tar.


The attached patch is for OpenBSD 6.3.


Greetings,

Matthias


------------------------------------

CVE-2018-12015: Directory Traversal in Archive::Tar

--------------------------------------------------------------------------------

 From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[hidden email]>
Date: Fri, 8 Jun 2018 11:45:40 +0100
Subject: [PATCH] [PATCH] Remove existing files before overwriting them

Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).

https://rt.cpan.org/Ticket/Display.html?id=125523

Signed-off-by: Chris 'BinGOs' Williams <[hidden email]>
---
  lib/Archive/Tar.pm | 14 ++++++++++++++
  1 file changed, 14 insertions(+)

diff --git a/lib/Archive/Tar.pm b/lib/Archive/Tar.pm
index 6244369..a83975f 100644
--- gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm.orig Tue Jun 12
13:29:41 2018
+++ gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm Tue Jun 12
13:34:19 2018
@@ -845,6 +845,20 @@ sub _extract_file {
          return;
      }

+    ### If a file system already contains a block device with the same
name as
+    ### the being extracted regular file, we would write the file's content
+    ### to the block device. So remove the existing file (block device)
now.
+    ### If an archive contains multiple same-named entries, the last one
+    ### should replace the previous ones. So remove the old file now.
+    ### If the old entry is a symlink to a file outside of the CWD, the new
+    ### entry would create a file there. This is CVE-2018-12015
+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
+    if (-l $full || -e _) {
+       if (!unlink $full) {
+           $self->_error( qq[Could not remove old file '$full': $!] );
+           return;
+       }
+    }
      if( length $entry->type && $entry->is_file ) {
          my $fh = IO::File->new;
          $fh->open( '>' . $full ) or (