Bug 20207 - ruby-archive-tar-minitar new security issue CVE-2016-10173
Summary: ruby-archive-tar-minitar new security issue CVE-2016-10173
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Nicolas Salguero
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/713148/
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK
Keywords:
Depends on: 20317
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-29 17:46 CET by David Walser
Modified: 2017-02-27 18:44 CET (History)
6 users (show)

See Also:
Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-29 17:46:47 CET
A CVE has been assigned for a security issue in ruby-archive-tar-minitar:
http://openwall.com/lists/oss-security/2017/01/29/1

That project is dead and has been superceded by a "minitar" project, which has fixed this issue.  Backporting the patch to the version we have in Mageia 5 appears to be non-trivial.
Comment 1 Marja Van Waes 2017-01-29 23:26:32 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-02-01 02:03:50 CET
Debian has issued an advisory for this on January 30:
https://lwn.net/Alerts/713128/

URL: (none) => https://lwn.net/Vulnerabilities/713148/

Comment 3 Nicolas Salguero 2017-02-16 15:46:43 CET
Suggested advisory:
========================

The updated package fix a security vulnerability:

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173)

References:
http://openwall.com/lists/oss-security/2017/01/29/1
https://lwn.net/Alerts/713128/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10173
========================

Updated package in core/updates_testing:
========================
ruby-archive-tar-minitar-0.5.2-14.1.mga5

from SRPMS:
ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2017-02-18 09:20:30 CET
Shall test this on both architectures.  The openwall link in the Description section above leads to a test where minitar is exercised on the command line.

CC: (none) => tarazed25
Whiteboard: (none) => has_procedure

Comment 5 Len Lawrence 2017-02-18 17:50:15 CET
x86_64 before update:

Followed the procedure at https://github.com/halostatue/minitar/issues/16 more-or-less verbatim.
$ touch /tmp/querty1234
$ tar cf symlink-overwrite.tar ../../../../../../../../../../../../../../tmp/querty1234
$ ls -l *.tar
-rw-r--r-- 1 lcl lcl 10240 Feb 18 08:48 symlink-overwrite.tar
$ rm -rf /tmp/querty1234
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError)
	from /bin/minitar:23:in `load'
	from /bin/minitar:23:in `<main>'

I had to tamper with the minitar script and replace "require_gem" with gem before it would run.  Bug report on that later.  Note that /usr/bin/minitar does use "gem" to access that script.

$ minitar extract symlink-overwrite.tar
$ ls -al /tmp/querty1234
ls: cannot access /tmp/querty1234: No such file or directory

But, oddly enough a tmp directory had been created in my qa testing directory:
[lcl@difda ~/qa]$ ls -al tmp
total 8
-rw-r--r-- 1 lcl lcl    0 Feb 18 09:05 querty1234
$ cd /
$ minitar extract ~/lcl/qa/symlink-overwrite.tar
$ cd
$ ls -al /tmp/querty1234
-rw-r--r-- 1 lcl lcl 0 Feb 18 09:24 /tmp/querty1234
  
Before the update the tar command works the same way.
-------------------------------------------------------------------------------
Updated to version 14.1 from core updates testing.
Discovered the -P option for tar and recreated the symlink-overwrite.tar file.

$ rm -rf tmp/querty1234 /tmp/qwerty1234
$ tar -tvf symlink-overwrite.tar 
tar: Removing leading `../../../../../../../../../../../../../../../' from member names
-rw-r--r-- lcl/vboxusers     0 2017-02-18 16:28 ../../../../../../../../../../../../../../../tmp/qwerty1234
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)

<backtrace>

$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory

This counts as desired behaviour but I think we could do without the backtrace.
OK for 64-bit systems.

The pre-update test had no value because the tar file did not contain the required data.
Comment 6 Len Lawrence 2017-02-18 18:24:29 CET
i586 in virtualbox

Imported symlink-overwrite.tar from the host.
Installed ruby-archive-tar-minitar version 14.
Edited the ...bin/minitar file in the ruby source files hierarchy, changing require_gem to gem.
Pre-update:
$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory
$ minitar extract symlink-overwrite.tar
$ ls -al /tmp/qwerty1234
-rw-r--r-- 1 lcl lcl 0 Feb 18 17:14 /tmp/qwerty1234
$ rm -rf /tmp/qwerty1234

Updated minitar to version 14.1.
Edited the minitar file again.
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)
<backtrace>
$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory
$ tar xf symlink-overwrite.tar 
tar: Removing leading `../../../../../../../../../../../../../../../' from member names
tar: ../../../../../../../../../../../../../../../tmp/qwerty1234: Member name contains '..'

Working as intended.
Len Lawrence 2017-02-18 18:26:13 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK MGA5-32-OK

Dave Hodgins 2017-02-19 22:20:32 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

Comment 7 Dave Hodgins 2017-02-20 04:46:20 CET
Thanks Len. Validating the update

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Salguero 2017-02-20 15:07:45 CET
I will push a version also correcting bug 20317

Resolution: (none) => OLD
Status: ASSIGNED => RESOLVED

David Walser 2017-02-20 15:39:52 CET

Status: RESOLVED => REOPENED
CC: (none) => qa-bugs
Depends on: (none) => 20317
Resolution: OLD => (none)
Assignee: qa-bugs => nicolas.salguero

Comment 9 David Walser 2017-02-20 23:39:48 CET
Now it's fixed.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 10 Nicolas Lécureuil 2017-02-26 22:51:10 CET
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 20317
Checking SRPMs⦠                      â (5/core/ruby-archive-tar-minitar-0.5.2-14.1) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 11 Len Lawrence 2017-02-27 13:17:43 CET
Hoping this is the correct thing to do; modified the Source RPM field.
Validating again.

Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm

Len Lawrence 2017-02-27 13:18:00 CET

Keywords: (none) => validated_update

Comment 12 Rémi Verschelde 2017-02-27 13:27:35 CET
The problem is in the advisory in SVN which lacks the `.mga5` suffix: http://svnweb.mageia.org/advisories/20207.adv?view=markup

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2017-02-27 13:46:58 CET

Keywords: validated_update => (none)

Comment 13 David Walser 2017-02-27 17:41:33 CET
No, this was moved to the other bug and the update was pushed.  It doesn't need an adv file and the Source RPM field shouldn't have been modified.
Len Lawrence 2017-02-27 18:44:56 CET

Source RPM: ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm


Note You need to log in before you can comment on or make changes to this bug.