12824 – libtar new security issue CVE-2013-4420

Bug 12824 - libtar new security issue CVE-2013-4420

Summary: libtar new security issue CVE-2013-4420

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/587141/
Whiteboard:	MGA3TOO has_procedure mga3-32-ok mga3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-02-19 22:28 CET by David Walser
Modified:	2023-02-23 13:04 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	libtar-1.2.20-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-02-19 22:28:12 CET

Debian has issued an advisory on February 18:
http://www.debian.org/security/2014/dsa-2863

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libtar packages fix security vulnerability:

A directory traversal attack was reported against libtar, a C library for
manipulating tar archives. The application does not validate the filenames
inside the tar archive, allowing to extract files in arbitrary path. An
attacker can craft a tar file to override files beyond the tar_extract_glob
and tar_extract_all prefix parameter (CVE-2013-4420).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
http://www.debian.org/security/2014/dsa-2863
========================

Updated packages in core/updates_testing:
========================
libtar-1.2.18-2.2.mga3
libtar0-1.2.18-2.2.mga3
libtar-devel-1.2.18-2.2.mga3
libtar-1.2.20-2.1.mga4
libtar0-1.2.20-2.1.mga4
libtar-devel-1.2.20-2.1.mga4

from SRPMS:
libtar-1.2.18-2.2.mga3.src.rpm
libtar-1.2.20-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-02-19 22:28:18 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Oden Eriksson 2014-02-20 11:11:57 CET

PoC:

wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=triple-double-dot.tar;att=1;bug=731860" -O triple-double-dot.tar

mkdir -p 1/2/3
cd 1/2/3
(pre patch)
libtar -x ../../../triple-double-dot.tar
ls ../../../empty-file 
../../../empty-file
(post patch)
ls ../../../empty-file 
ls: cannot access ../../../empty-file: No such file or directory

CC: (none) => oe

Comment 2 Lewis Smith 2014-02-20 14:41:36 CET

Tested Mageia 4 64-bit real hardware: OK.

CAUTION for other testers:
1) Do not assume that because you have tar, you have these libraries! You may well have to install them first.
2) No use trying with tar itself. That already does the correct thing, like the updated libtars. You really do need to use libtar directly as specified.
$ tar -xf ../../../triple-double-dot.tar
tar: Removing leading `../../../' from member names

BEFORE
libtar-1.2.20-2.mga4    lib64tar0-1.2.20-2.mga4
Test as per Comment 1, starting from Home directory, then in ~/1/2/3/:
$ libtar -x ../../../triple-double-dot.tar
$ ls
$ ls ../../../empty-file   [here => Home]
../../../empty-file        [which should not be there]

Then, necessarily for the POC:
$ rm ~/empty-file          [erroneously extracted there]

AFTER
libtar-1.2.20-2.1.mga4    lib64tar0-1.2.20-2.1.mga4
$ libtar -x ../../../triple-double-dot.tar
$ ls
empty-file        [correctly extracted here]
$ ls ~/empty-file
ls: cannot access /home/lewis/empty-file: No such file or directory

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 3 Oden Eriksson 2014-02-20 17:42:24 CET

======================================================
Name: CVE-2013-4420
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[libtar] 20150213 Fw: Re: Validation of file names
Reference: URL:https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html
Reference: CONFIRM:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
Reference: DEBIAN:DSA-2863
Reference: URL:http://www.debian.org/security/2014/dsa-2863

Multiple directory traversal vulnerabilities in the (1)
tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20
and earlier allow remote attackers to overwrite arbitrary files via a
.. (dot dot) in a crafted tar file.

Comment 4 claire robinson 2014-02-21 13:35:33 CET

Testing complete mga3 32 & 64

Needs testing mga4 32 to validate

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK

Comment 5 David Walser 2014-02-21 15:46:13 CET

Testing complete on Mageia 4 i586, confirming the vulnerability and the fix.

Comment 6 Rémi Verschelde 2014-02-21 16:50:28 CET

Adding MGA4-32-OK tag as per comment 5.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK

Comment 7 Rémi Verschelde 2014-02-21 16:52:42 CET

Validating update, advisory has been uploaded. Please push to 3 & 4 core/updates.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-02-21 19:28:40 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0090.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
CC: (none) => tmb

Comment 9 James lernard 2023-02-23 13:04:27 CET Comment hidden (spam)

The story of this student highlights the importance of time management and avoiding distractions when it comes to https://essaysrescue.com/freepaperwriter-review/ completing academic assignments. It also demonstrates the value of seeking professional help when necessary.

CC: (none) => desotel216

Note You need to log in before you can comment on or make changes to this bug.