Your message dated Mon, 24 Feb 2014 21:47:47 +0000
with message-id <[email protected]>
and subject line Bug#731860: fixed in libtar 1.2.11-6+deb6u2
has caused the Debian Bug report #731860,
regarding libtar: CVE-2013-4420: directory traversal when extracting archives
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
731860: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libtar
Severity: grave
Tags: security
Hi,
the following vulnerability was published for libtar.
CVE-2013-4420[0]:
tar_extract_glob and tar_extract_all path prefix directory traversal
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
http://security-tracker.debian.org/tracker/CVE-2013-4420
Attached is a proposed patch that makes libtar work similarly to tar.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Index: libtar-1.2.16/lib/decode.c
===================================================================
--- libtar-1.2.16.orig/lib/decode.c 2013-12-09 14:11:03.212344872 +0100
+++ libtar-1.2.16/lib/decode.c 2013-12-09 14:49:19.865470471 +0100
@@ -21,24 +21,54 @@
# include <string.h>
#endif
+char *
+safer_name_suffix (char const *file_name)
+{
+ char const *p, *t;
+ p = t = file_name;
+ while (*p)
+ {
+ if (p[0] == '.' && p[0] == p[1] && p[2] == '/')
+ {
+ p += 3;
+ t = p;
+ }
+ /* advance pointer past the next slash */
+ while (*p && (p++)[0] != '/');
+ }
+
+ if (!*t)
+ {
+ t = ".";
+ }
+
+ if (t != file_name)
+ {
+ /* TODO: warn somehow that the path was modified */
+ }
+ return (char*)t;
+}
/* determine full path name */
char *
th_get_pathname(TAR *t)
{
static char filename[MAXPATHLEN];
+ char *safer_name;
if (t->th_buf.gnu_longname)
- return t->th_buf.gnu_longname;
+ return safer_name_suffix(t->th_buf.gnu_longname);
+
+ safer_name = safer_name_suffix(t->th_buf.name);
if (t->th_buf.prefix[0] != '\0')
{
snprintf(filename, sizeof(filename), "%.155s/%.100s",
- t->th_buf.prefix, t->th_buf.name);
+ t->th_buf.prefix, safer_name);
return filename;
}
- snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name);
+ snprintf(filename, sizeof(filename), "%.100s", safer_name);
return filename;
}
Index: libtar-1.2.16/lib/extract.c
===================================================================
--- libtar-1.2.16.orig/lib/extract.c 2013-12-09 14:11:03.212344872 +0100
+++ libtar-1.2.16/lib/extract.c 2013-12-09 14:39:22.248955358 +0100
@@ -305,7 +305,7 @@ tar_extract_hardlink(TAR * t, char *real
linktgt = &lnp[strlen(lnp) + 1];
}
else
- linktgt = th_get_linkname(t);
+ linktgt = safer_name_suffix(th_get_linkname(t));
#ifdef DEBUG
printf(" ==> extracting: %s (link to %s)\n", filename, linktgt);
@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna
#ifdef DEBUG
printf(" ==> extracting: %s (symlink to %s)\n",
- filename, th_get_linkname(t));
+ filename, safer_name_suffix(th_get_linkname(t)));
#endif
- if (symlink(th_get_linkname(t), filename) == -1)
+ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)
{
#ifdef DEBUG
perror("symlink()");
Index: libtar-1.2.16/lib/internal.h
===================================================================
--- libtar-1.2.16.orig/lib/internal.h 2012-05-17 09:34:32.000000000 +0200
+++ libtar-1.2.16/lib/internal.h 2013-12-09 14:36:57.503866114 +0100
@@ -15,3 +15,4 @@
#include <libtar.h>
+char* safer_name_suffix(char const*);
--- End Message ---
--- Begin Message ---
Source: libtar
Source-Version: 1.2.11-6+deb6u2
We believe that the bug you reported is fixed in the latest version of
libtar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Magnus Holmgren <[email protected]> (supplier of updated libtar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 16 Feb 2014 19:44:16 +0100
Source: libtar
Binary: libtar-dev libtar
Architecture: source amd64
Version: 1.2.11-6+deb6u2
Distribution: squeeze-security
Urgency: low
Maintainer: Julien Danjou <[email protected]>
Changed-By: Magnus Holmgren <[email protected]>
Description:
libtar - C library for manipulating tar archives
libtar-dev - C library for manipulating tar archives
Closes: 731860
Changes:
libtar (1.2.11-6+deb6u2) squeeze-security; urgency=low
.
* [SECURITY] CVE-2013-4420: Strip out leading slashes and any
pathname prefix containing ".." components (Closes: #731860). This is
done in th_get_pathname() (as well as to symlink targets when
extracting symlinks), not merely when extracting files, which means
applications calling that function will not see the stored
filename. There is no way to disable this behaviour, but it can be
expected that one will be provided when the issue is solved upstream.
* Make the th_get_size() macro cast the result from oct_to_int() to
unsigned int. This is the right fix for bug #725938 on 64-bit systems,
where a specially crafted tar file would not cause an integer
overflow, but a memory allocation of almost 16 exbibytes, which would
certainly fail outright without harm.
Checksums-Sha1:
0e62e21f544aa5328c0343a16b0804cfe2eee6a9 993 libtar_1.2.11-6+deb6u2.dsc
e88a7588de51d6801f718f39174e49f6b138d966 255994 libtar_1.2.11-6+deb6u2.diff.gz
ca9a8af73d5d9b23724efd7b18e32f0f00775203 43842
libtar-dev_1.2.11-6+deb6u2_amd64.deb
cf11a974e638479f39e1896677ece6736787ff7d 22528 libtar_1.2.11-6+deb6u2_amd64.deb
Checksums-Sha256:
d2da6cf7d6eb5f46106cbd3bf7827f6ad165fb9abd8ecdc0d9a624cf522b83a6 993
libtar_1.2.11-6+deb6u2.dsc
6b1062f74f7ac9312e78547975c6af0cfcc6dfce8bd0abf3b84652f0d5ddb4c6 255994
libtar_1.2.11-6+deb6u2.diff.gz
25e5258a01ce26ee5bdf27133463a9fe462a040708673d485ae11d898daea5e3 43842
libtar-dev_1.2.11-6+deb6u2_amd64.deb
46eb6cd01ec6c3596e754409f0e0a1b307760f2cbfe87c4c116b6071cb5a9cea 22528
libtar_1.2.11-6+deb6u2_amd64.deb
Files:
992791ab99bc37e4cd287f8e6cf1887a 993 libs optional libtar_1.2.11-6+deb6u2.dsc
510f0207b558d6fb4f33b21e698bc506 255994 libs optional
libtar_1.2.11-6+deb6u2.diff.gz
13b1b12dc47bd95bdca8dab4e714fdb7 43842 libdevel optional
libtar-dev_1.2.11-6+deb6u2_amd64.deb
4a07935413607502a32fca4241f7221a 22528 libs optional
libtar_1.2.11-6+deb6u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEAREIAAYFAlMDov0ACgkQk7mRNn1h4+Zj9wCffn1DOV8ICwEZQ/Kq8V/UA4m/
0PYAn2QntrBgaWO5Im21dbX8+XA6upOh
=wvG+
-----END PGP SIGNATURE-----
--- End Message ---
