Bug 12824

Summary: libtar new security issue CVE-2013-4420
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: desotel216, lewyssmith, oe, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/587141/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK advisory
Source RPM: libtar-1.2.20-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-02-19 22:28:12 CET 
Debian has issued an advisory on February 18:
http://www.debian.org/security/2014/dsa-2863

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libtar packages fix security vulnerability:

A directory traversal attack was reported against libtar, a C library for
manipulating tar archives. The application does not validate the filenames
inside the tar archive, allowing to extract files in arbitrary path. An
attacker can craft a tar file to override files beyond the tar_extract_glob
and tar_extract_all prefix parameter (CVE-2013-4420).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
http://www.debian.org/security/2014/dsa-2863
========================

Updated packages in core/updates_testing:
========================
libtar-1.2.18-2.2.mga3
libtar0-1.2.18-2.2.mga3
libtar-devel-1.2.18-2.2.mga3
libtar-1.2.20-2.1.mga4
libtar0-1.2.20-2.1.mga4
libtar-devel-1.2.20-2.1.mga4

from SRPMS:
libtar-1.2.18-2.2.mga3.src.rpm
libtar-1.2.20-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-19 22:28:18 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Oden Eriksson 2014-02-20 11:11:57 CET 
PoC:

wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=triple-double-dot.tar;att=1;bug=731860" -O triple-double-dot.tar

mkdir -p 1/2/3
cd 1/2/3
(pre patch)
libtar -x ../../../triple-double-dot.tar
ls ../../../empty-file 
../../../empty-file
(post patch)
ls ../../../empty-file 
ls: cannot access ../../../empty-file: No such file or directory

CC: (none) => oe

Comment 2 Lewis Smith 2014-02-20 14:41:36 CET 
Tested Mageia 4 64-bit real hardware: OK.

CAUTION for other testers:
1) Do not assume that because you have tar, you have these libraries! You may well have to install them first.
2) No use trying with tar itself. That already does the correct thing, like the updated libtars. You really do need to use libtar directly as specified.
$ tar -xf ../../../triple-double-dot.tar
tar: Removing leading `../../../' from member names

BEFORE
libtar-1.2.20-2.mga4    lib64tar0-1.2.20-2.mga4
Test as per Comment 1, starting from Home directory, then in ~/1/2/3/:
$ libtar -x ../../../triple-double-dot.tar
$ ls
$ ls ../../../empty-file   [here => Home]
../../../empty-file        [which should not be there]

Then, necessarily for the POC:
$ rm ~/empty-file          [erroneously extracted there]

AFTER
libtar-1.2.20-2.1.mga4    lib64tar0-1.2.20-2.1.mga4
$ libtar -x ../../../triple-double-dot.tar
$ ls
empty-file        [correctly extracted here]
$ ls ~/empty-file
ls: cannot access /home/lewis/empty-file: No such file or directory

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 3 Oden Eriksson 2014-02-20 17:42:24 CET 
======================================================
Name: CVE-2013-4420
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[libtar] 20150213 Fw: Re: Validation of file names
Reference: URL:https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html
Reference: CONFIRM:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
Reference: DEBIAN:DSA-2863
Reference: URL:http://www.debian.org/security/2014/dsa-2863

Multiple directory traversal vulnerabilities in the (1)
tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20
and earlier allow remote attackers to overwrite arbitrary files via a
.. (dot dot) in a crafted tar file.
Comment 4 claire robinson 2014-02-21 13:35:33 CET 
Testing complete mga3 32 & 64

Needs testing mga4 32 to validate

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK

Comment 5 David Walser 2014-02-21 15:46:13 CET 
Testing complete on Mageia 4 i586, confirming the vulnerability and the fix.
Comment 6 Rémi Verschelde 2014-02-21 16:50:28 CET 
Adding MGA4-32-OK tag as per comment 5.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK

Comment 7 Rémi Verschelde 2014-02-21 16:52:42 CET 
Validating update, advisory has been uploaded. Please push to 3 & 4 core/updates.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-02-21 19:28:40 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0090.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
CC: (none) => tmb

Comment 9 James lernard 2023-02-23 13:04:27 CET Comment hidden (spam)

CC: (none) => desotel216