Bug 20207

Summary:	ruby-archive-tar-minitar new security issue CVE-2016-10173
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Nicolas Salguero <nicolas.salguero>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, marja11, nicolas.salguero, qa-bugs, sysadmin-bugs, tarazed25
Version:	5
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://lwn.net/Vulnerabilities/713148/
Whiteboard:	has_procedure MGA5-64-OK MGA5-32-OK
Source RPM:	ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm	CVE:
Status comment:
Bug Depends on:	20317
Bug Blocks:

Description David Walser 2017-01-29 17:46:47 CET

A CVE has been assigned for a security issue in ruby-archive-tar-minitar:
http://openwall.com/lists/oss-security/2017/01/29/1

That project is dead and has been superceded by a "minitar" project, which has fixed this issue.  Backporting the patch to the version we have in Mageia 5 appears to be non-trivial.

Comment 1 Marja Van Waes 2017-01-29 23:26:32 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-02-01 02:03:50 CET

Debian has issued an advisory for this on January 30:
https://lwn.net/Alerts/713128/

URL: (none) => https://lwn.net/Vulnerabilities/713148/

Comment 3 Nicolas Salguero 2017-02-16 15:46:43 CET

Suggested advisory:
========================

The updated package fix a security vulnerability:

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173)

References:
http://openwall.com/lists/oss-security/2017/01/29/1
https://lwn.net/Alerts/713128/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10173
========================

Updated package in core/updates_testing:
========================
ruby-archive-tar-minitar-0.5.2-14.1.mga5

from SRPMS:
ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2017-02-18 09:20:30 CET

Shall test this on both architectures.  The openwall link in the Description section above leads to a test where minitar is exercised on the command line.

CC: (none) => tarazed25
Whiteboard: (none) => has_procedure

Comment 5 Len Lawrence 2017-02-18 17:50:15 CET

x86_64 before update:

Followed the procedure at https://github.com/halostatue/minitar/issues/16 more-or-less verbatim.
$ touch /tmp/querty1234
$ tar cf symlink-overwrite.tar ../../../../../../../../../../../../../../tmp/querty1234
$ ls -l *.tar
-rw-r--r-- 1 lcl lcl 10240 Feb 18 08:48 symlink-overwrite.tar
$ rm -rf /tmp/querty1234
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError)
	from /bin/minitar:23:in `load'
	from /bin/minitar:23:in `<main>'

I had to tamper with the minitar script and replace "require_gem" with gem before it would run.  Bug report on that later.  Note that /usr/bin/minitar does use "gem" to access that script.

$ minitar extract symlink-overwrite.tar
$ ls -al /tmp/querty1234
ls: cannot access /tmp/querty1234: No such file or directory

But, oddly enough a tmp directory had been created in my qa testing directory:
[lcl@difda ~/qa]$ ls -al tmp
total 8
-rw-r--r-- 1 lcl lcl    0 Feb 18 09:05 querty1234
$ cd /
$ minitar extract ~/lcl/qa/symlink-overwrite.tar
$ cd
$ ls -al /tmp/querty1234
-rw-r--r-- 1 lcl lcl 0 Feb 18 09:24 /tmp/querty1234
  
Before the update the tar command works the same way.
-------------------------------------------------------------------------------
Updated to version 14.1 from core updates testing.
Discovered the -P option for tar and recreated the symlink-overwrite.tar file.

$ rm -rf tmp/querty1234 /tmp/qwerty1234
$ tar -tvf symlink-overwrite.tar 
tar: Removing leading `../../../../../../../../../../../../../../../' from member names
-rw-r--r-- lcl/vboxusers     0 2017-02-18 16:28 ../../../../../../../../../../../../../../../tmp/qwerty1234
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)

<backtrace>

$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory

This counts as desired behaviour but I think we could do without the backtrace.
OK for 64-bit systems.

The pre-update test had no value because the tar file did not contain the required data.

Comment 6 Len Lawrence 2017-02-18 18:24:29 CET

i586 in virtualbox

Imported symlink-overwrite.tar from the host.
Installed ruby-archive-tar-minitar version 14.
Edited the ...bin/minitar file in the ruby source files hierarchy, changing require_gem to gem.
Pre-update:
$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory
$ minitar extract symlink-overwrite.tar
$ ls -al /tmp/qwerty1234
-rw-r--r-- 1 lcl lcl 0 Feb 18 17:14 /tmp/qwerty1234
$ rm -rf /tmp/qwerty1234

Updated minitar to version 14.1.
Edited the minitar file again.
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)
<backtrace>
$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory
$ tar xf symlink-overwrite.tar 
tar: Removing leading `../../../../../../../../../../../../../../../' from member names
tar: ../../../../../../../../../../../../../../../tmp/qwerty1234: Member name contains '..'

Working as intended.

Len Lawrence 2017-02-18 18:26:13 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK MGA5-32-OK

Dave Hodgins 2017-02-19 22:20:32 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

Comment 7 Dave Hodgins 2017-02-20 04:46:20 CET

Thanks Len. Validating the update

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Salguero 2017-02-20 15:07:45 CET

I will push a version also correcting bug 20317

Resolution: (none) => OLD
Status: ASSIGNED => RESOLVED

David Walser 2017-02-20 15:39:52 CET

Status: RESOLVED => REOPENED
CC: (none) => qa-bugs
Depends on: (none) => 20317
Resolution: OLD => (none)
Assignee: qa-bugs => nicolas.salguero

Comment 9 David Walser 2017-02-20 23:39:48 CET

Now it's fixed.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 10 Nicolas Lécureuil 2017-02-26 22:51:10 CET

Update ID assignment failed

Checking for QA validation keywordâ¦   â
Checking dependent bugsâ¦              â 20317
Checking SRPMsâ¦                       â (5/core/ruby-archive-tar-minitar-0.5.2-14.1) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 11 Len Lawrence 2017-02-27 13:17:43 CET

Hoping this is the correct thing to do; modified the Source RPM field.
Validating again.

Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm

Len Lawrence 2017-02-27 13:18:00 CET

Keywords: (none) => validated_update

Comment 12 Rémi Verschelde 2017-02-27 13:27:35 CET

The problem is in the advisory in SVN which lacks the `.mga5` suffix: http://svnweb.mageia.org/advisories/20207.adv?view=markup

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2017-02-27 13:46:58 CET

Keywords: validated_update => (none)

Comment 13 David Walser 2017-02-27 17:41:33 CET

No, this was moved to the other bug and the update was pushed.  It doesn't need an adv file and the Source RPM field shouldn't have been modified.

Len Lawrence 2017-02-27 18:44:56 CET

Source RPM: ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm