Bug 11424

Summary: libtar - Heap-based buffer overflows by expanding a specially-crafted archive (CVE-2013-4397)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570142/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: libtar CVE:
Status comment:

Description Oden Eriksson 2013-10-10 08:07:46 CEST 
http://www.openwall.com/lists/oss-security/2013/10/10/4

"Date: Thu, 10 Oct 2013 10:06:05 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
CC: timo.warns@...il.com, cdfrey@...rsquare.net
Subject: Integer overflow in libtar (<= 1.2.19)

Hi All,

Forwarding information from the linux-distros list to oss-sec, since
the issue is public now

Details:

An integer overflow vulnerability was identified in libtar 1.2.19 (and
olders) that can possibly be exploited for arbitrary code execution when
extracting a specially crafted tar file.

A coordinated release date (CRD) of October 9th has been agreed with
Chris Frey (libtar developer).

This issue is assigned CVE-2013-4397.
This issue is fixed in libtar-1.2.20

Reference:

Upstream patch:
http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04

Announcement: This is an announcement about the release on
libtar list, but strangely i cant access the list archives.
(i am subscribed to the mailing list though)

Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1014492

-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-10-10 08:16:19 CEST 
Fixed with libtar-1.2.11-10.1.mga2, libtar-1.2.18-2.1.mga3 and libtar-1.2.20-1.mga4.
Comment 2 David Walser 2013-10-10 19:26:47 CEST 
Thanks Oden!

Advisory:
========================

Updated libtar packages fix security vulnerability:

Two heap-based buffer overflow flaws were found in the way libtar handled
certain archives. If a user were tricked into expanding a specially-crafted
archive, it could cause the libtar executable or an application using
libtar to crash or, potentially, execute arbitrary code (CVE-2013-4397).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397
https://rhn.redhat.com/errata/RHSA-2013-1418.html
========================

Updated packages in core/updates_testing:
========================
libtar-1.2.11-10.1.mga2
libtar-devel-1.2.11-10.1.mga2
libtar-1.2.18-2.1.mga3
libtar0-1.2.18-2.1.mga3
libtar-devel-1.2.18-2.1.mga3

from SRPMS:
libtar-1.2.11-10.1.mga2.src.rpm
libtar-1.2.18-2.1.mga3.src.rpm

Version: 2 => 3
Assignee: bugsquad => qa-bugs
Summary: CVE-2013-4397: libtar - Heap-based buffer overflows by expanding a specially-crafted archive => libtar - Heap-based buffer overflows by expanding a specially-crafted archive (CVE-2013-4397)
Whiteboard: (none) => MGA2TOO
Severity: normal => major

Comment 3 Dave Hodgins 2013-10-10 20:55:18 CEST 
Advisory 11424.adv committed to svn

CC: (none) => davidwhodgins

Comment 4 David Walser 2013-10-11 00:32:58 CEST 
FYI there may be more fixing coming for libtar:
http://openwall.com/lists/oss-security/2013/10/10/21
Comment 5 Oden Eriksson 2013-10-11 16:08:44 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=1018150
Comment 6 David Walser 2013-10-11 20:07:38 CEST 
RedHat has issued an advisory for this on October 10:
https://rhn.redhat.com/errata/RHSA-2013-1418.html

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397 => http://lwn.net/Vulnerabilities/570142/

Comment 7 claire robinson 2013-10-14 13:22:05 CEST 
Testing complete mga3 64

Using a modified C++ example from here [1]. I'll paste the modified version in a separate comment. It should create file.tar.bz2 from the directory testdir.

[1] http://stackoverflow.com/questions/813223/how-to-compress-a-directory-with-libbz2-in-c

Before
------

# urpmi lib64bzip2-devel 
# urpmi lib64tar-devel

$ cd test
$ mkdir testdir
$ echo "test test test" > testdir/testfile.txt
$ ls
tartest.cpp  testdir/

$ g++ tartest.cpp  -ltar -lbz2 -o tartest
$ ls
tartest*  tartest.cpp  testdir/

$ ./tartest
$ ls
file.tar.bz2  tartest*  tartest.cpp  testdir/

Check it worked..

$ file file.tar.bz2 
file.tar.bz2: bzip2 compressed data, block size = 700k

$ tar xvjf file.tar.bz2 
./
./testfile.txt

$ ls
file.tar.bz2  tartest*  tartest.cpp  testfile.txt

$ cat testfile.txt 
test test test


After
-----
# urpmi libtar lib64tar0 lib64tar-devel 
              
installing lib64tar-devel-1.2.18-2.1.mga3.x86_64.rpm libtar-1.2.18-2.1.mga3.x86_64.rpm lib64tar0-1.2.18-2.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
      1/3: lib64tar0             ##########################
      2/3: lib64tar-devel        ##########################
      3/3: libtar                ##########################
      1/3: removing libtar-1.2.18-2.mga3.x86_64
                                 ##########################
      2/3: removing lib64tar-devel-1.2.18-2.mga3.x86_64
                                 ##########################
      3/3: removing lib64tar0-1.2.18-2.mga3.x86_64
                                 ##########################


Rebuild tartest with new lib.

$ rm -f file.tar.bz2 tartest testfile.txt
$ g++ tartest.cpp  -ltar -lbz2 -o tartest
$ ls
tartest*  tartest.cpp  testdir/

$ ./tartest

etc.

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 8 claire robinson 2013-10-14 13:23:54 CEST 
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <libtar.h>
#include <bzlib.h>
#include <unistd.h>

int main()
{
    TAR *pTar;
    char tarFilename[] = "file.tar";
    char srcDir[] = "testdir/";
    char extractTo[] = ".";

    tar_open(&pTar, tarFilename, NULL, O_WRONLY | O_CREAT, 0644, TAR_GNU);
    tar_append_tree(pTar, srcDir, extractTo);

    close(tar_fd(pTar));

    int tarFD = open(tarFilename, O_RDONLY);

    char tbz2Filename[] =  "file.tar.bz2";
    FILE *tbz2File = fopen(tbz2Filename, "wb");
    int bzError;
    const int BLOCK_MULTIPLIER = 7;
    BZFILE *pBz = BZ2_bzWriteOpen(&bzError, tbz2File, BLOCK_MULTIPLIER, 0, 0);

    const int BUF_SIZE = 10000;
    char* buf = new char[BUF_SIZE];
    ssize_t bytesRead;
    while((bytesRead = read(tarFD, buf, BUF_SIZE)) > 0) {
        BZ2_bzWrite(&bzError, pBz, buf, bytesRead);
    }        
    BZ2_bzWriteClose(&bzError, pBz, 0, NULL, NULL);
    close(tarFD);
    remove(tarFilename);

    delete[] buf;

}
Comment 9 claire robinson 2013-10-14 13:34:44 CEST 
Getting too complicated here, libtar is a command :)

$ libtar -c tartest.tar testdir/*

$ rm -rf testdir

$ file tartest.tar
tartest.tar: POSIX tar archive

$ libtar -x tartest.tar
$ cat testdir/testfile.txt 
test test test


Much more simples!
Comment 10 claire robinson 2013-10-14 13:50:02 CEST 
Testing complete mga2 64

$ echo "test test test" >test.txt
$ libtar -c tartest.tar test.txt
$ rm -f test.txt
$ libtar -x tartest.tar
$ cat test.txt 
test test test

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-64-ok

Comment 11 claire robinson 2013-10-14 14:02:40 CEST 
Testing complete mga2 32 & mga3 32

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 12 claire robinson 2013-10-14 14:05:06 CEST 
Validating. Advisory uploaded in comment 3.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Thomas Backlund 2013-10-17 22:05:17 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0309.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED