Bug 20317 - Deprecated code and new security issue CVE-2016-10173 in ruby-archive-tar-minitar
Summary: Deprecated code and new security issue CVE-2016-10173 in ruby-archive-tar-min...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK ...
Keywords: validated_update
Depends on:
Blocks: 20207
  Show dependency treegraph
Reported: 2017-02-19 16:54 CET by Len Lawrence
Modified: 2017-02-20 23:19 CET (History)
3 users (show)

See Also:
Source RPM: ruby-archive-tar-minitar-0.5.2-14.mga5.src.rpm
Status comment:


Description Len Lawrence 2017-02-19 16:54:14 CET
Description of problem:
Our current version of ruby minitar contains a code error and needs a simple patch in order to work.  'require_gem' is deprecated and needs to be replaced by 'gem' and as far as is known the fault occurs in only one place.  The correction has been tested in QA against version 14.1 and shown to work.  Further note: /usr/bin/minitar uses 'gem', not 'require_gem'.

$ sudo urpmi ruby-archive-tar-minitar
    $MIRRORLIST: media/core/release/ruby-archive-tar-minitar-0.5.2-14.mga5.noarch.rpm

$ minitar extract bin.tar
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError)
	from /usr/bin/minitar:23:in `load'
	from /usr/bin/minitar:23:in `<main>'

$ ruby --version
ruby 2.0.0p648 (2015-12-16 revision 53162) [x86_64-linux]

Version-Release number of selected component (if applicable):

How reproducible:
It is consistent.

Steps to Reproduce:
1. Install ruby-archive-tar-minitar-0.5.2-14
2. Use minitar to extract a standard TAR file
Comment 1 Nicolas Salguero 2017-02-20 15:12:28 CET
Suggested advisory:

The updated packages fix a security vulnerability:

Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173)

Moreover the updated packages replace deprecated require_gem by gem to make minitar work.


Updated package in core/updates_testing:

from SRPMS:

CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs

Nicolas Salguero 2017-02-20 15:15:00 CET

Component: RPM Packages => Security
Summary: Deprecated code in ruby-archive-tar-minitar => Deprecated code and new security issue CVE-2016-10173 in ruby-archive-tar-minitar

David Walser 2017-02-20 15:39:52 CET

Blocks: (none) => 20207

Comment 2 Len Lawrence 2017-02-20 16:27:48 CET
Testing this again on x86_64 after updating the packages.

$ minitar extract icons.tar
This generated an icons directory with a number of valid image icons in it.
Used the earlier PoC file to demonstrate that the updated minitar traps the CVE-2016-10173 issue.
$ minitar extract symlink-overwrite.tar 
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)
followed by a backtrace.
Len Lawrence 2017-02-20 16:28:17 CET

Whiteboard: (none) => has_procedure MGA5-64-OK

Comment 3 Len Lawrence 2017-02-20 17:00:07 CET
Updated these on i586 virtualbox.
Checked the source code at /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar to confirm the edit:
  gem 'archive-tar-minitar', '= 0.5.2'

$ mv bin oldbin
$ minitar extract bin.tar
$ ls bin
accumulate    copycal          gorilla         printcode     tarback
backdocs      copydata         hail            printing      tbird
backroom      copydocs         hailstones      purgelist     tidy
Tested PoC file:
$ minitar extract symlink-overwrite.tar 
/usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError)

which is the expected output.
Len Lawrence 2017-02-20 17:00:42 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Comment 4 Lewis Smith 2017-02-20 20:39:26 CET
Validating & advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-02-20 23:19:54 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.