Debian has issued an advisory on February 18: http://www.debian.org/security/2014/dsa-2863 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated libtar packages fix security vulnerability: A directory traversal attack was reported against libtar, a C library for manipulating tar archives. The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files beyond the tar_extract_glob and tar_extract_all prefix parameter (CVE-2013-4420). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420 http://www.debian.org/security/2014/dsa-2863 ======================== Updated packages in core/updates_testing: ======================== libtar-1.2.18-2.2.mga3 libtar0-1.2.18-2.2.mga3 libtar-devel-1.2.18-2.2.mga3 libtar-1.2.20-2.1.mga4 libtar0-1.2.20-2.1.mga4 libtar-devel-1.2.20-2.1.mga4 from SRPMS: libtar-1.2.18-2.2.mga3.src.rpm libtar-1.2.20-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
PoC: wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=triple-double-dot.tar;att=1;bug=731860" -O triple-double-dot.tar mkdir -p 1/2/3 cd 1/2/3 (pre patch) libtar -x ../../../triple-double-dot.tar ls ../../../empty-file ../../../empty-file (post patch) ls ../../../empty-file ls: cannot access ../../../empty-file: No such file or directory
CC: (none) => oe
Tested Mageia 4 64-bit real hardware: OK. CAUTION for other testers: 1) Do not assume that because you have tar, you have these libraries! You may well have to install them first. 2) No use trying with tar itself. That already does the correct thing, like the updated libtars. You really do need to use libtar directly as specified. $ tar -xf ../../../triple-double-dot.tar tar: Removing leading `../../../' from member names BEFORE libtar-1.2.20-2.mga4 lib64tar0-1.2.20-2.mga4 Test as per Comment 1, starting from Home directory, then in ~/1/2/3/: $ libtar -x ../../../triple-double-dot.tar $ ls $ ls ../../../empty-file [here => Home] ../../../empty-file [which should not be there] Then, necessarily for the POC: $ rm ~/empty-file [erroneously extracted there] AFTER libtar-1.2.20-2.1.mga4 lib64tar0-1.2.20-2.1.mga4 $ libtar -x ../../../triple-double-dot.tar $ ls empty-file [correctly extracted here] $ ls ~/empty-file ls: cannot access /home/lewis/empty-file: No such file or directory
CC: (none) => lewyssmithWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
====================================================== Name: CVE-2013-4420 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: MLIST:[libtar] 20150213 Fw: Re: Validation of file names Reference: URL:https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html Reference: CONFIRM:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860 Reference: DEBIAN:DSA-2863 Reference: URL:http://www.debian.org/security/2014/dsa-2863 Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
Testing complete mga3 32 & 64 Needs testing mga4 32 to validate
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK
Testing complete on Mageia 4 i586, confirming the vulnerability and the fix.
Adding MGA4-32-OK tag as per comment 5.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
Validating update, advisory has been uploaded. Please push to 3 & 4 core/updates.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0090.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVEDCC: (none) => tmb
The story of this student highlights the importance of time management and avoiding distractions when it comes to https://essaysrescue.com/freepaperwriter-review/ completing academic assignments. It also demonstrates the value of seeking professional help when necessary.
CC: (none) => desotel216