Bug 12824 - libtar new security issue CVE-2013-4420
: libtar new security issue CVE-2013-4420
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/587141/
: MGA3TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-19 22:28 CET by David Walser
Modified: 2014-02-21 19:28 CET (History)
5 users (show)

See Also:
Source RPM: libtar-1.2.20-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-19 22:28:12 CET
Debian has issued an advisory on February 18:
http://www.debian.org/security/2014/dsa-2863

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libtar packages fix security vulnerability:

A directory traversal attack was reported against libtar, a C library for
manipulating tar archives. The application does not validate the filenames
inside the tar archive, allowing to extract files in arbitrary path. An
attacker can craft a tar file to override files beyond the tar_extract_glob
and tar_extract_all prefix parameter (CVE-2013-4420).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
http://www.debian.org/security/2014/dsa-2863
========================

Updated packages in core/updates_testing:
========================
libtar-1.2.18-2.2.mga3
libtar0-1.2.18-2.2.mga3
libtar-devel-1.2.18-2.2.mga3
libtar-1.2.20-2.1.mga4
libtar0-1.2.20-2.1.mga4
libtar-devel-1.2.20-2.1.mga4

from SRPMS:
libtar-1.2.18-2.2.mga3.src.rpm
libtar-1.2.20-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-02-20 11:11:57 CET
PoC:

wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=triple-double-dot.tar;att=1;bug=731860" -O triple-double-dot.tar

mkdir -p 1/2/3
cd 1/2/3
(pre patch)
libtar -x ../../../triple-double-dot.tar
ls ../../../empty-file 
../../../empty-file
(post patch)
ls ../../../empty-file 
ls: cannot access ../../../empty-file: No such file or directory
Comment 2 Lewis Smith 2014-02-20 14:41:36 CET
Tested Mageia 4 64-bit real hardware: OK.

CAUTION for other testers:
1) Do not assume that because you have tar, you have these libraries! You may well have to install them first.
2) No use trying with tar itself. That already does the correct thing, like the updated libtars. You really do need to use libtar directly as specified.
$ tar -xf ../../../triple-double-dot.tar
tar: Removing leading `../../../' from member names

BEFORE
libtar-1.2.20-2.mga4    lib64tar0-1.2.20-2.mga4
Test as per Comment 1, starting from Home directory, then in ~/1/2/3/:
$ libtar -x ../../../triple-double-dot.tar
$ ls
$ ls ../../../empty-file   [here => Home]
../../../empty-file        [which should not be there]

Then, necessarily for the POC:
$ rm ~/empty-file          [erroneously extracted there]

AFTER
libtar-1.2.20-2.1.mga4    lib64tar0-1.2.20-2.1.mga4
$ libtar -x ../../../triple-double-dot.tar
$ ls
empty-file        [correctly extracted here]
$ ls ~/empty-file
ls: cannot access /home/lewis/empty-file: No such file or directory
Comment 3 Oden Eriksson 2014-02-20 17:42:24 CET
======================================================
Name: CVE-2013-4420
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[libtar] 20150213 Fw: Re: Validation of file names
Reference: URL:https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html
Reference: CONFIRM:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
Reference: DEBIAN:DSA-2863
Reference: URL:http://www.debian.org/security/2014/dsa-2863

Multiple directory traversal vulnerabilities in the (1)
tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20
and earlier allow remote attackers to overwrite arbitrary files via a
.. (dot dot) in a crafted tar file.
Comment 4 claire robinson 2014-02-21 13:35:33 CET
Testing complete mga3 32 & 64

Needs testing mga4 32 to validate
Comment 5 David Walser 2014-02-21 15:46:13 CET
Testing complete on Mageia 4 i586, confirming the vulnerability and the fix.
Comment 6 Rémi Verschelde 2014-02-21 16:50:28 CET
Adding MGA4-32-OK tag as per comment 5.
Comment 7 Rémi Verschelde 2014-02-21 16:52:42 CET
Validating update, advisory has been uploaded. Please push to 3 & 4 core/updates.
Comment 8 Thomas Backlund 2014-02-21 19:28:40 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0090.html

Note You need to log in before you can comment on or make changes to this bug.