Bug 20317

Summary: Deprecated code and new security issue CVE-2016-10173 in ruby-archive-tar-minitar
Product: Mageia Reporter: Len Lawrence <tarazed25>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: lewyssmith, nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory
Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 20207    

Description Len Lawrence 2017-02-19 16:54:14 CET 
Description of problem:
Our current version of ruby minitar contains a code error and needs a simple patch in order to work.  'require_gem' is deprecated and needs to be replaced by 'gem' and as far as is known the fault occurs in only one place.  The correction has been tested in QA against version 14.1 and shown to work.  Further note: /usr/bin/minitar uses 'gem', not 'require_gem'.

$ sudo urpmi ruby-archive-tar-minitar
    $MIRRORLIST: media/core/release/ruby-archive-tar-minitar-0.5.2-14.mga5.noarch.rpm

$ minitar extract bin.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError)
	from /usr/bin/minitar:23:in `load'
	from /usr/bin/minitar:23:in `<main>'

$ ruby --version
ruby 2.0.0p648 (2015-12-16 revision 53162) [x86_64-linux]


Version-Release number of selected component (if applicable):
ruby-archive-tar-minitar-0.5.2-14.mga5.noarch

How reproducible:
It is consistent.

Steps to Reproduce:
1. Install ruby-archive-tar-minitar-0.5.2-14
2. Use minitar to extract a standard TAR file
3.
Comment 1 Nicolas Salguero 2017-02-20 15:12:28 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173)

Moreover the updated packages replace deprecated require_gem by gem to make minitar work.

References:
http://openwall.com/lists/oss-security/2017/01/29/1
https://lwn.net/Alerts/713128/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10173
========================

Updated package in core/updates_testing:
========================
ruby-archive-tar-minitar-0.5.2-14.2.mga5
ruby-archive-tar-minitar-doc-0.5.2-14.2.mga5

from SRPMS:
ruby-archive-tar-minitar-0.5.2-14.2.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs

Nicolas Salguero 2017-02-20 15:15:00 CET

Component: RPM Packages => Security
Summary: Deprecated code in ruby-archive-tar-minitar => Deprecated code and new security issue CVE-2016-10173 in ruby-archive-tar-minitar

David Walser 2017-02-20 15:39:52 CET

Blocks: (none) => 20207

Comment 2 Len Lawrence 2017-02-20 16:27:48 CET 
Testing this again on x86_64 after updating the packages.

$ minitar extract icons.tar
This generated an icons directory with a number of valid image icons in it.
Used the earlier PoC file to demonstrate that the updated minitar traps the CVE-2016-10173 issue.
$ minitar extract symlink-overwrite.tar 
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)
followed by a backtrace.
Len Lawrence 2017-02-20 16:28:17 CET

Whiteboard: (none) => has_procedure MGA5-64-OK

Comment 3 Len Lawrence 2017-02-20 17:00:07 CET 
Updated these on i586 virtualbox.
Checked the source code at /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar to confirm the edit:
  gem 'archive-tar-minitar', '= 0.5.2'

$ mv bin oldbin
$ minitar extract bin.tar
$ ls bin
accumulate    copycal          gorilla         printcode     tarback
backdocs      copydata         hail            printing      tbird
backroom      copydocs         hailstones      purgelist     tidy
.......
Tested PoC file:
$ minitar extract symlink-overwrite.tar 
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)

which is the expected output.
Len Lawrence 2017-02-20 17:00:42 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Comment 4 Lewis Smith 2017-02-20 20:39:26 CET 
Validating & advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-02-20 23:19:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0060.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED