Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Debian has issued an advisory for this on January 30:
https://lwn.net/Alerts/713128/

URL: (none) => https://lwn.net/Vulnerabilities/713148/

Suggested advisory:
========================

The updated package fix a security vulnerability:

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173)

References:
http://openwall.com/lists/oss-security/2017/01/29/1
https://lwn.net/Alerts/713128/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10173
========================

Updated package in core/updates_testing:
========================
ruby-archive-tar-minitar-0.5.2-14.1.mga5

from SRPMS:
ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Shall test this on both architectures.  The openwall link in the Description section above leads to a test where minitar is exercised on the command line.

CC: (none) => tarazed25
Whiteboard: (none) => has_procedure

x86_64 before update:

Followed the procedure at https://github.com/halostatue/minitar/issues/16 more-or-less verbatim.
$ touch /tmp/querty1234
$ tar cf symlink-overwrite.tar ../../../../../../../../../../../../../../tmp/querty1234
$ ls -l *.tar
-rw-r--r-- 1 lcl lcl 10240 Feb 18 08:48 symlink-overwrite.tar
$ rm -rf /tmp/querty1234
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError)
	from /bin/minitar:23:in `load'
	from /bin/minitar:23:in `<main>'

I had to tamper with the minitar script and replace "require_gem" with gem before it would run.  Bug report on that later.  Note that /usr/bin/minitar does use "gem" to access that script.

$ minitar extract symlink-overwrite.tar
$ ls -al /tmp/querty1234
ls: cannot access /tmp/querty1234: No such file or directory

But, oddly enough a tmp directory had been created in my qa testing directory:
[lcl@difda ~/qa]$ ls -al tmp
total 8
-rw-r--r-- 1 lcl lcl    0 Feb 18 09:05 querty1234
$ cd /
$ minitar extract ~/lcl/qa/symlink-overwrite.tar
$ cd
$ ls -al /tmp/querty1234
-rw-r--r-- 1 lcl lcl 0 Feb 18 09:24 /tmp/querty1234
  
Before the update the tar command works the same way.
-------------------------------------------------------------------------------
Updated to version 14.1 from core updates testing.
Discovered the -P option for tar and recreated the symlink-overwrite.tar file.

$ rm -rf tmp/querty1234 /tmp/qwerty1234
$ tar -tvf symlink-overwrite.tar 
tar: Removing leading `../../../../../../../../../../../../../../../' from member names
-rw-r--r-- lcl/vboxusers     0 2017-02-18 16:28 ../../../../../../../../../../../../../../../tmp/qwerty1234
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)

<backtrace>

$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory

This counts as desired behaviour but I think we could do without the backtrace.
OK for 64-bit systems.

The pre-update test had no value because the tar file did not contain the required data.

i586 in virtualbox

Imported symlink-overwrite.tar from the host.
Installed ruby-archive-tar-minitar version 14.
Edited the ...bin/minitar file in the ruby source files hierarchy, changing require_gem to gem.
Pre-update:
$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory
$ minitar extract symlink-overwrite.tar
$ ls -al /tmp/qwerty1234
-rw-r--r-- 1 lcl lcl 0 Feb 18 17:14 /tmp/qwerty1234
$ rm -rf /tmp/qwerty1234

Updated minitar to version 14.1.
Edited the minitar file again.
$ minitar extract symlink-overwrite.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)
<backtrace>
$ ls -al /tmp/qwerty1234
ls: cannot access /tmp/qwerty1234: No such file or directory
$ tar xf symlink-overwrite.tar 
tar: Removing leading `../../../../../../../../../../../../../../../' from member names
tar: ../../../../../../../../../../../../../../../tmp/qwerty1234: Member name contains '..'

Working as intended.

Thanks Len. Validating the update

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

I will push a version also correcting bug 20317

Resolution: (none) => OLD
Status: ASSIGNED => RESOLVED

Now it's fixed.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 20317
Checking SRPMs⦠                      â (5/core/ruby-archive-tar-minitar-0.5.2-14.1) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Hoping this is the correct thing to do; modified the Source RPM field.
Validating again.

Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm => ruby-archive-tar-minitar-0.5.2-14.1.mga5.src.rpm

The problem is in the advisory in SVN which lacks the `.mga5` suffix: http://svnweb.mageia.org/advisories/20207.adv?view=markup

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory => has_procedure MGA5-64-OK MGA5-32-OK

No, this was moved to the other bug and the update was pushed.  It doesn't need an adv file and the Source RPM field shouldn't have been modified.