savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-help-public] newer tar: avoid .. exploit

From: Sylvain Beucler
Subject: Re: [Savannah-help-public] newer tar: avoid .. exploit
Date: Sun, 9 Sep 2007 10:28:49 +0200
User-agent: Mutt/1.5.13 (2006-08-11) 
On Sun, Sep 09, 2007 at 09:45:31AM +0200, Jim Meyering wrote:
> [deliberately not sent to the -public list]

Hmm, except that savannah-hackers is the historical alias to
savannah-help-public, but who cares? ;)

http://savannah.gnu.org/maintenance/SavannahHackersCommunication

> Hi guys,
> 
> You've probably heard about the latest exploitable tar bug: If you
> unpack a malicious tar archive, it can overwrite (through e.g., ../..)
> any number of your key files with tarball-supplied contents.  Fixed only
> recently in GNU tar for the upcoming 1.18.1 release.

I didn't hear of it. It seems it's a bit more complicated (symlinks +
'//..') but I guess the risk is the same.


> It would be prudent to install the fixed version wherever root
> might unpack an untrusted tarball or forget to verify a signature
> or checksum before unpacking what they think is a trusted tarball
> (imagine a cracked mirror of trusted sources):
> 
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131

I don't think anything is extracting tar automatically, but this can
happen to us when we extract a CVS tarball for import. Or indeed, a
cracked tarball, like the ZWiki I installed yesterday.


> Most vendors already have the fix.  E.g., 1.18-2 in Debian.
> Is there policy for this on savannah?  The installed tar is version 1.16,

We stick to Debian Etch and we follow the security updates. apticron
is warning us whenever there are security updates to retrieve.

Having a look at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439335 though, it
seems the maintainer is probably not going to warn the Debian security
team:
-----
> > Why does this merit a 'grave' severity when there is no apparent
> > priv escalation involved?
> A user does not expect tar to allow absolute path names unless the -P 
> option is given.
That's not a justification for severity 'grave' in the Debian BTS. 
-----

Ahem...

I'll post a follow-up.

Until there's a proper security update, we can temporarily backport
Lenny's version. Do you know if 1.16 is vulnerable though?

-- 
Sylvain
reply via email to
[Prev in Thread] Current Thread [Next in Thread]