Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 23:39:48 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: libtar: missing validation of file names

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2013 01:28 PM, Naufragium Est wrote:
> is this also CVE-worthy?
> 
> https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
>
> 
>> The functions tar_extract_glob and tar_extract_all accept a path
>> prefix on where to extract files to. However, libtar does not
>> validate the file names stored inside a tar file, possibly
>> leading to a file extraction outside the prefix path. For
>> example, consider a file name "../../etc/passwd". If extract_all
>> is called with prefix "/home/USER/", libtar would try to
>> overwrite "/etc/passwd".
> 
> not fixed yet:
> 
> https://lists.feep.net:8080/pipermail/libtar/2013-October/000362.html
>
> 
>> Once I figure out the right way of handling this, there will
>> probably be another libtar release.

Please use CVE-2013-4420 for libtar tar_extract_glob and
tar_extract_all path prefix directory traversal

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV48kAAoJEBYNRVNeJnmTZL8QALkqVWW7Y+Zn63hyNF6Hwt8M
QfEi9gAacE+vDG6CEpFwMmHsJJRufGzUGSOjSz60z16U6zXri54FGDbkkaSgsQB8
fUV7x5prW1OfgK9YfZw80ei48Esf8w51IlrMcG5bkpwciMWwrKYpGQCWk71UxQ2a
jFYdhpCw1hcD/ULSVJjS2NClI13/ZsaHqtU3wL2YDpHh/52Nbx+40jegA+EN2W9s
u8jf+eWqy7kYs/VYYcsNH+jW3WZn/hGPGtymPEN9nkeeeIch8mvCA7rEdnKA37jW
c3QECQPqVFK+VL0GEThX2xpN217o3r0TNr7dc3Xgyv61MYIeNBsFvjUmISMrAKOt
SkrwFP8noJcv5usvNDONebGK7Uf6XlOTL4/eJKlS4iC+gqn4Ugo3ZROrBca9cCpF
wh/+oodGXwuGLlWiWBduDibYrQWMhd5gbA96P7eOj6XSpHotWpbvDLDkyvc9Arv8
dIT3bHrKIEnU7L0qo7H+MsgBkH1A31wW1d6nQ0RQU6/v04MS2GkLjIJrOPeZ7nai
uNcvgqQh0SRR1NAI49QSlfz6wO3Z/NUEmeLNxML0EMdxdhVJI+AlW/n1xwGv6j0p
A636LXItisyXT2lbQcufkgUXqk6izh7SQ9IKdTCpgpXfRM4LDXfY1A2uFHu17CTm
r56AGzsFqURdAAG1dnZi
=ymrw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.