A CVE has been assigned for a security issue in ruby-archive-tar-minitar: http://openwall.com/lists/oss-security/2017/01/29/1 That project is dead and has been superceded by a "minitar" project, which has fixed this issue. Backporting the patch to the version we have in Mageia 5 appears to be non-trivial.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Debian has issued an advisory for this on January 30: https://lwn.net/Alerts/713128/
URL: (none) => https://lwn.net/Vulnerabilities/713148/
Suggested advisory: ======================== The updated package fix a security vulnerability: Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173) References: http://openwall.com/lists/oss-security/2017/01/29/1 https://lwn.net/Alerts/713128/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10173 ======================== Updated package in core/updates_testing: ======================== ruby-archive-tar-minitar-0.5.2-14.1.mga5 from SRPMS: ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugs
Shall test this on both architectures. The openwall link in the Description section above leads to a test where minitar is exercised on the command line.
CC: (none) => tarazed25Whiteboard: (none) => has_procedure
x86_64 before update: Followed the procedure at https://github.com/halostatue/minitar/issues/16 more-or-less verbatim. $ touch /tmp/querty1234 $ tar cf symlink-overwrite.tar ../../../../../../../../../../../../../../tmp/querty1234 $ ls -l *.tar -rw-r--r-- 1 lcl lcl 10240 Feb 18 08:48 symlink-overwrite.tar $ rm -rf /tmp/querty1234 $ minitar extract symlink-overwrite.tar /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError) from /bin/minitar:23:in `load' from /bin/minitar:23:in `<main>' I had to tamper with the minitar script and replace "require_gem" with gem before it would run. Bug report on that later. Note that /usr/bin/minitar does use "gem" to access that script. $ minitar extract symlink-overwrite.tar $ ls -al /tmp/querty1234 ls: cannot access /tmp/querty1234: No such file or directory But, oddly enough a tmp directory had been created in my qa testing directory: [lcl@difda ~/qa]$ ls -al tmp total 8 -rw-r--r-- 1 lcl lcl 0 Feb 18 09:05 querty1234 $ cd / $ minitar extract ~/lcl/qa/symlink-overwrite.tar $ cd $ ls -al /tmp/querty1234 -rw-r--r-- 1 lcl lcl 0 Feb 18 09:24 /tmp/querty1234 Before the update the tar command works the same way. ------------------------------------------------------------------------------- Updated to version 14.1 from core updates testing. Discovered the -P option for tar and recreated the symlink-overwrite.tar file. $ rm -rf tmp/querty1234 /tmp/qwerty1234 $ tar -tvf symlink-overwrite.tar tar: Removing leading `../../../../../../../../../../../../../../../' from member names -rw-r--r-- lcl/vboxusers 0 2017-02-18 16:28 ../../../../../../../../../../../../../../../tmp/qwerty1234 $ minitar extract symlink-overwrite.tar /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError) <backtrace> $ ls -al /tmp/qwerty1234 ls: cannot access /tmp/qwerty1234: No such file or directory This counts as desired behaviour but I think we could do without the backtrace. OK for 64-bit systems. The pre-update test had no value because the tar file did not contain the required data.
i586 in virtualbox Imported symlink-overwrite.tar from the host. Installed ruby-archive-tar-minitar version 14. Edited the ...bin/minitar file in the ruby source files hierarchy, changing require_gem to gem. Pre-update: $ ls -al /tmp/qwerty1234 ls: cannot access /tmp/qwerty1234: No such file or directory $ minitar extract symlink-overwrite.tar $ ls -al /tmp/qwerty1234 -rw-r--r-- 1 lcl lcl 0 Feb 18 17:14 /tmp/qwerty1234 $ rm -rf /tmp/qwerty1234 Updated minitar to version 14.1. Edited the minitar file again. $ minitar extract symlink-overwrite.tar /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError) <backtrace> $ ls -al /tmp/qwerty1234 ls: cannot access /tmp/qwerty1234: No such file or directory $ tar xf symlink-overwrite.tar tar: Removing leading `../../../../../../../../../../../../../../../' from member names tar: ../../../../../../../../../../../../../../../tmp/qwerty1234: Member name contains '..' Working as intended.
Whiteboard: has_procedure => has_procedure MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
Thanks Len. Validating the update
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
I will push a version also correcting bug 20317
Resolution: (none) => OLDStatus: ASSIGNED => RESOLVED
Status: RESOLVED => REOPENEDCC: (none) => qa-bugsDepends on: (none) => 20317Resolution: OLD => (none)Assignee: qa-bugs => nicolas.salguero
Now it's fixed.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â 20317 Checking SRPMs⦠â (5/core/ruby-archive-tar-minitar-0.5.2-14.1) 'validated_update' keyword reset.
Keywords: validated_update => (none)
Hoping this is the correct thing to do; modified the Source RPM field. Validating again.
Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm
Keywords: (none) => validated_update
The problem is in the advisory in SVN which lacks the `.mga5` suffix: http://svnweb.mageia.org/advisories/20207.adv?view=markup
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory => has_procedure MGA5-64-OK MGA5-32-OK
No, this was moved to the other bug and the update was pushed. It doesn't need an adv file and the Source RPM field shouldn't have been modified.
Source RPM: ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm