http://www.openwall.com/lists/oss-security/2013/10/10/4 "Date: Thu, 10 Oct 2013 10:06:05 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com CC: timo.warns@...il.com, cdfrey@...rsquare.net Subject: Integer overflow in libtar (<= 1.2.19) Hi All, Forwarding information from the linux-distros list to oss-sec, since the issue is public now Details: An integer overflow vulnerability was identified in libtar 1.2.19 (and olders) that can possibly be exploited for arbitrary code execution when extracting a specially crafted tar file. A coordinated release date (CRD) of October 9th has been agreed with Chris Frey (libtar developer). This issue is assigned CVE-2013-4397. This issue is fixed in libtar-1.2.20 Reference: Upstream patch: http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04 Announcement: This is an announcement about the release on libtar list, but strangely i cant access the list archives. (i am subscribed to the mailing list though) Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1014492 -- Huzaifa Sidhpurwala / Red Hat Security Response Team" Reproducible: Steps to Reproduce:
Fixed with libtar-1.2.11-10.1.mga2, libtar-1.2.18-2.1.mga3 and libtar-1.2.20-1.mga4.
Thanks Oden! Advisory: ======================== Updated libtar packages fix security vulnerability: Two heap-based buffer overflow flaws were found in the way libtar handled certain archives. If a user were tricked into expanding a specially-crafted archive, it could cause the libtar executable or an application using libtar to crash or, potentially, execute arbitrary code (CVE-2013-4397). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397 https://rhn.redhat.com/errata/RHSA-2013-1418.html ======================== Updated packages in core/updates_testing: ======================== libtar-1.2.11-10.1.mga2 libtar-devel-1.2.11-10.1.mga2 libtar-1.2.18-2.1.mga3 libtar0-1.2.18-2.1.mga3 libtar-devel-1.2.18-2.1.mga3 from SRPMS: libtar-1.2.11-10.1.mga2.src.rpm libtar-1.2.18-2.1.mga3.src.rpm
Version: 2 => 3Assignee: bugsquad => qa-bugsSummary: CVE-2013-4397: libtar - Heap-based buffer overflows by expanding a specially-crafted archive => libtar - Heap-based buffer overflows by expanding a specially-crafted archive (CVE-2013-4397)Whiteboard: (none) => MGA2TOOSeverity: normal => major
Advisory 11424.adv committed to svn
CC: (none) => davidwhodgins
FYI there may be more fixing coming for libtar: http://openwall.com/lists/oss-security/2013/10/10/21
https://bugzilla.redhat.com/show_bug.cgi?id=1018150
RedHat has issued an advisory for this on October 10: https://rhn.redhat.com/errata/RHSA-2013-1418.html
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397 => http://lwn.net/Vulnerabilities/570142/
Testing complete mga3 64 Using a modified C++ example from here [1]. I'll paste the modified version in a separate comment. It should create file.tar.bz2 from the directory testdir. [1] http://stackoverflow.com/questions/813223/how-to-compress-a-directory-with-libbz2-in-c Before ------ # urpmi lib64bzip2-devel # urpmi lib64tar-devel $ cd test $ mkdir testdir $ echo "test test test" > testdir/testfile.txt $ ls tartest.cpp testdir/ $ g++ tartest.cpp -ltar -lbz2 -o tartest $ ls tartest* tartest.cpp testdir/ $ ./tartest $ ls file.tar.bz2 tartest* tartest.cpp testdir/ Check it worked.. $ file file.tar.bz2 file.tar.bz2: bzip2 compressed data, block size = 700k $ tar xvjf file.tar.bz2 ./ ./testfile.txt $ ls file.tar.bz2 tartest* tartest.cpp testfile.txt $ cat testfile.txt test test test After ----- # urpmi libtar lib64tar0 lib64tar-devel installing lib64tar-devel-1.2.18-2.1.mga3.x86_64.rpm libtar-1.2.18-2.1.mga3.x86_64.rpm lib64tar0-1.2.18-2.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ########################## 1/3: lib64tar0 ########################## 2/3: lib64tar-devel ########################## 3/3: libtar ########################## 1/3: removing libtar-1.2.18-2.mga3.x86_64 ########################## 2/3: removing lib64tar-devel-1.2.18-2.mga3.x86_64 ########################## 3/3: removing lib64tar0-1.2.18-2.mga3.x86_64 ########################## Rebuild tartest with new lib. $ rm -f file.tar.bz2 tartest testfile.txt $ g++ tartest.cpp -ltar -lbz2 -o tartest $ ls tartest* tartest.cpp testdir/ $ ./tartest etc.
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok
#include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdlib.h> #include <libtar.h> #include <bzlib.h> #include <unistd.h> int main() { TAR *pTar; char tarFilename[] = "file.tar"; char srcDir[] = "testdir/"; char extractTo[] = "."; tar_open(&pTar, tarFilename, NULL, O_WRONLY | O_CREAT, 0644, TAR_GNU); tar_append_tree(pTar, srcDir, extractTo); close(tar_fd(pTar)); int tarFD = open(tarFilename, O_RDONLY); char tbz2Filename[] = "file.tar.bz2"; FILE *tbz2File = fopen(tbz2Filename, "wb"); int bzError; const int BLOCK_MULTIPLIER = 7; BZFILE *pBz = BZ2_bzWriteOpen(&bzError, tbz2File, BLOCK_MULTIPLIER, 0, 0); const int BUF_SIZE = 10000; char* buf = new char[BUF_SIZE]; ssize_t bytesRead; while((bytesRead = read(tarFD, buf, BUF_SIZE)) > 0) { BZ2_bzWrite(&bzError, pBz, buf, bytesRead); } BZ2_bzWriteClose(&bzError, pBz, 0, NULL, NULL); close(tarFD); remove(tarFilename); delete[] buf; }
Getting too complicated here, libtar is a command :) $ libtar -c tartest.tar testdir/* $ rm -rf testdir $ file tartest.tar tartest.tar: POSIX tar archive $ libtar -x tartest.tar $ cat testdir/testfile.txt test test test Much more simples!
Testing complete mga2 64 $ echo "test test test" >test.txt $ libtar -c tartest.tar test.txt $ rm -f test.txt $ libtar -x tartest.tar $ cat test.txt test test test
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-64-ok
Testing complete mga2 32 & mga3 32
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded in comment 3. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0309.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED