Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 28 Sep 2002 21:19:42 +0100 (BST)
From: Mark J Cox <mjc@...hat.com>
To: xvendor@...ts.openwall.com
cc: Paul Eggert <eggert@...nsun.com>
Subject: Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

> Paul, -- is there anything more current than tar-1.13.25 (released
> over a year ago)?  Perhaps a CVS repository?

Yes we noticed this problem with ./../ not being caught and told the tar
folks.  We allocated CAN-2002-0399 for this, wrote a patch, prepared an 
errata, but waited to see if an official fix was coming.  

Date: Mon, 27 May 2002 11:44:58 +0100 (BST)
From: Mark J Cox <mjc@...hat.com>
To: bug-tar@....org, eggert@...nsun.com
Cc: teg@...hat.com, bbrock@...hat.com
Subject: [SECURITY] bug in contains_dot_dot routine

We've recently been looking at the vulnerability mentioned on bugtraq
nearly a year ago:

"Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows
local users overwrite arbitrary files during archive extraction via a tar
file whose filenames contain a .. (dot dot)."  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267

This was fixed by the routine contains_dot_dot in misc.c in tar, which
catches the case where a tar file contains an entry such as "../foo"

However during testing of 1.13.25 we found that we could still trigger
this problem with an entry such as "./../foo" and this is due to a logic
error in misc.c

I've attached a small patch that fixes this (I didn't spend time looking
to see if multiple ISSLASH are already stripped, if so you could optimize
the patch further)

Cheers, Mark
--
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
mjc@...hat.com // T: +44 798 061 3110 // F: +44 870 1319174


    [ Part 2, ""  Text/PLAIN (Name: "tmp1.patch")  6 lines. ]
    [ Unable to print this part. ]

Powered by blists - more mailing lists

Please check out the xvendor mailing list charter.