Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Sep 2002 17:52:05 +0400
From: Solar Designer <solar@...nwall.com>
To: xvendor@...ts.openwall.com
Cc: Paul Eggert <eggert@...nsun.com>
Subject: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

JFYI (and to avoid list lag), I've just sent this to Bugtraq.  As all
of this is public for 1 to 4 years, I think this and GNU tar in
general may be discussed on xvendor rather than vendor-sec.

Paul, -- is there anything more current than tar-1.13.25 (released
over a year ago)?  Perhaps a CVS repository?

----- Forwarded message from Solar Designer <solar@...nwall.com> -----

Date: Sat, 28 Sep 2002 17:39:33 +0400
From: Solar Designer <solar@...nwall.com>
To: Bencsath Boldizsar <bencsath.boldizsar@...l2002.ebizlab.hit.bme.hu>
Cc: bugtraq@...urityfocus.com
Subject: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)
In-Reply-To: <Pine.LNX.4.44.0209270208190.21585-100000@...acontact.hu>
User-Agent: Mutt/1.4i

On Fri, Sep 27, 2002 at 02:11:07AM +0200, Bencsath Boldizsar wrote:
> 2. Description of the "tar" problem
> 
> Creating a tar file with -P option one can put any file names in the tar
> file. While unpacking such tar files, tar is designed to remove leading
> slash. Other security feature of the tar package is to deny deployment of
> any files whose name contains "dotdot" (".."). A bug in the tar package
> leads to a security flaw:
> "../something" is denied by tar
> "/something" leading slash is removed
> "/../something"  leading slash removed but ".." is NOT denied
> "./../something" ".." is NOT denied.
> 
> Although we found this bug by studying tar, we found that this bug has
> been found by others, we should give them credit:

I believe 3APA3A was first to post this to Bugtraq last year:

http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666

At least 1.13.17 and 1.13.18 are known to get the contains_dot_dot()
function right, some older versions certainly didn't have it.  1.13.19
introduced a bug which broke the check and it's still not fixed in
1.13.25.

There's another related problem where tar could be made to follow a
symlink it just extracted and place a file outside of the intended
directory tree, pointed out on Bugtraq by Willy TARREAU in 1998:

http://marc.theaimsgroup.com/?l=bugtraq&m=90674255917321

Paul Eggert included a fix for it in 1.13.18:

"2000-10-23

...Extract potentially dangerous symbolic links more carefully,
deferring their creation until the end, and using a regular file
placeholder in the meantime."

However, he later broke it with a typo (reversed check) in 1.13.19.
1.13.25 has that check fixed again.

I've now fixed these two bugs and a third (non-security) bug that
1.13.19 introduced for the Owl package, with proper credit to you and
others involved, in both the package and the system-wide change log:

http://www.openwall.com/Owl/CHANGES.shtml

Although the two security bugs are now fixed, please keep in mind that
tar has traditionally been intended for making and extracting tape
backups rather than archives obtained from untrusted sources.  Be very
careful with what input you pass it and what user you run it as.

I've attached the two security patches to this message.  The dot-dot
patch is valid for 1.13.19 to 1.13.25, the symlink patch is needed for
1.13.19 and possibly some versions after it but not 1.13.25.  Other
patches that we use may be obtained via:

cvs -z3 -d :pserver:anoncvs:anoncvs@...ncvs.owl.openwall.com:/cvs co Owl/packages/tar

or:

http://www.openwall.com/Owl/ (and pick an FTP mirror)
ftp://ftp.ru.openwall.com/pub/Owl/current/native.tar.gz

-- 
/sd

diff -ur tar-1.13.19.orig/src/misc.c tar-1.13.19/src/misc.c
--- tar-1.13.19.orig/src/misc.c	Sat Jan 13 08:59:29 2001
+++ tar-1.13.19/src/misc.c	Sat Sep 28 13:48:03 2002
@@ -206,12 +206,12 @@
       if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
 	return 1;
 
-      do
+      while (! ISSLASH (*p))
 	{
 	  if (! *p++)
 	    return 0;
 	}
-      while (! ISSLASH (*p));
+      p++;
     }
 }
 .

diff -ur tar-1.13.19.orig/src/extract.c tar-1.13.19/src/extract.c
--- tar-1.13.19.orig/src/extract.c	Sat Jan 13 08:59:29 2001
+++ tar-1.13.19/src/extract.c	Sat Sep 28 15:37:33 2002
@@ -850,7 +850,7 @@
 	break;
 
       if (absolute_names_option
-	  || (ISSLASH (current_link_name
+	  || (! ISSLASH (current_link_name
 		       [FILESYSTEM_PREFIX_LEN (current_link_name)])
 	      && ! contains_dot_dot (current_link_name)))
 	{


----- End forwarded message -----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the xvendor mailing list charter.