Your message dated Sat, 15 Feb 2014 21:20:56 +0000 with message-id <e1wemfq-00029u...@franck.debian.org> and subject line Bug#731860: fixed in libtar 1.2.20-2 has caused the Debian Bug report #731860, regarding libtar: CVE-2013-4420: directory traversal when extracting archives to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 731860: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libtar Severity: grave Tags: security Hi, the following vulnerability was published for libtar. CVE-2013-4420[0]: tar_extract_glob and tar_extract_all path prefix directory traversal If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420 http://security-tracker.debian.org/tracker/CVE-2013-4420 Attached is a proposed patch that makes libtar work similarly to tar. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.netIndex: libtar-1.2.16/lib/decode.c =================================================================== --- libtar-1.2.16.orig/lib/decode.c 2013-12-09 14:11:03.212344872 +0100 +++ libtar-1.2.16/lib/decode.c 2013-12-09 14:49:19.865470471 +0100 @@ -21,24 +21,54 @@ # include <string.h> #endif +char * +safer_name_suffix (char const *file_name) +{ + char const *p, *t; + p = t = file_name; + while (*p) + { + if (p[0] == '.' && p[0] == p[1] && p[2] == '/') + { + p += 3; + t = p; + } + /* advance pointer past the next slash */ + while (*p && (p++)[0] != '/'); + } + + if (!*t) + { + t = "."; + } + + if (t != file_name) + { + /* TODO: warn somehow that the path was modified */ + } + return (char*)t; +} /* determine full path name */ char * th_get_pathname(TAR *t) { static char filename[MAXPATHLEN]; + char *safer_name; if (t->th_buf.gnu_longname) - return t->th_buf.gnu_longname; + return safer_name_suffix(t->th_buf.gnu_longname); + + safer_name = safer_name_suffix(t->th_buf.name); if (t->th_buf.prefix[0] != '\0') { snprintf(filename, sizeof(filename), "%.155s/%.100s", - t->th_buf.prefix, t->th_buf.name); + t->th_buf.prefix, safer_name); return filename; } - snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); + snprintf(filename, sizeof(filename), "%.100s", safer_name); return filename; } Index: libtar-1.2.16/lib/extract.c =================================================================== --- libtar-1.2.16.orig/lib/extract.c 2013-12-09 14:11:03.212344872 +0100 +++ libtar-1.2.16/lib/extract.c 2013-12-09 14:39:22.248955358 +0100 @@ -305,7 +305,7 @@ tar_extract_hardlink(TAR * t, char *real linktgt = &lnp[strlen(lnp) + 1]; } else - linktgt = th_get_linkname(t); + linktgt = safer_name_suffix(th_get_linkname(t)); #ifdef DEBUG printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); @@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna #ifdef DEBUG printf(" ==> extracting: %s (symlink to %s)\n", - filename, th_get_linkname(t)); + filename, safer_name_suffix(th_get_linkname(t))); #endif - if (symlink(th_get_linkname(t), filename) == -1) + if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) { #ifdef DEBUG perror("symlink()"); Index: libtar-1.2.16/lib/internal.h =================================================================== --- libtar-1.2.16.orig/lib/internal.h 2012-05-17 09:34:32.000000000 +0200 +++ libtar-1.2.16/lib/internal.h 2013-12-09 14:36:57.503866114 +0100 @@ -15,3 +15,4 @@ #include <libtar.h> +char* safer_name_suffix(char const*);
--- End Message ---
--- Begin Message ---Source: libtar Source-Version: 1.2.20-2 We believe that the bug you reported is fixed in the latest version of libtar, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 731...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Magnus Holmgren <holmg...@debian.org> (supplier of updated libtar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 15 Feb 2014 21:49:37 +0100 Source: libtar Binary: libtar-dev libtar0 Architecture: source amd64 Version: 1.2.20-2 Distribution: unstable Urgency: low Maintainer: Magnus Holmgren <holmg...@debian.org> Changed-By: Magnus Holmgren <holmg...@debian.org> Description: libtar-dev - C library for manipulating tar archives (development files) libtar0 - C library for manipulating tar archives Closes: 657116 731860 Changes: libtar (1.2.20-2) unstable; urgency=low . * no_static_buffers.patch: avoid using a static buffer in th_get_pathname(). Taken from upstream. Needed for no_maxpathlen.patch. * maxpathlen.patch: Fix FTBFS on Hurd by dynamically allocating path names (Closes: #657116). Thanks to Svante Signell and Petter Reinholdtsen. * [SECURITY] CVE-2013-4420.patch: Strip out leading slashes and any pathname prefix containing ".." components (Closes: #731860). This is done in th_get_pathname() (as well as to symlink targets when extracting symlinks), not merely when extracting files, which means applications calling that function will not see the stored filename. There is no way to disable this behaviour, but it can be expected that one will be provided when the issue is solved upstream. * Bump Standards-Version to 3.9.5. Checksums-Sha1: d8a14e21ae8bbd2f1d95f1280d80791680f83beb 1223 libtar_1.2.20-2.dsc 92e353b7d07f71c75e34f6f1ac87b4b803eb2f1c 8716 libtar_1.2.20-2.debian.tar.xz 1cdb02634deb09ab9655640adc055fdf864ffa22 41914 libtar-dev_1.2.20-2_amd64.deb c0714924c81c94a433d1dcf7a51e41aab210ae66 22316 libtar0_1.2.20-2_amd64.deb Checksums-Sha256: 3676db500b4a5cdb252a06303e9e8538243e00465227abc83c149b32f6d0d37f 1223 libtar_1.2.20-2.dsc 5ea31fcaf5c5ba6a1332ef4159c6e52ed54c311881aa72251f36034995fbd816 8716 libtar_1.2.20-2.debian.tar.xz ba371e469520f1cadcd60eafd0db0f18c82deeea0ea23099353b4cbcc6d5c727 41914 libtar-dev_1.2.20-2_amd64.deb db241179e88f0022eca8244cc51dcb27aedc6efc8f0d569a50261329ffeeca49 22316 libtar0_1.2.20-2_amd64.deb Files: 348c774fef2bb4eb3b249867a340f970 1223 libs optional libtar_1.2.20-2.dsc 7bde420892804a86c9f4c3ac3e945902 8716 libs optional libtar_1.2.20-2.debian.tar.xz 064ce167bbc62a997a68a38d55c2fbba 41914 libdevel optional libtar-dev_1.2.20-2_amd64.deb 26ce4fdde5392135373285ac13d67e7b 22316 libs optional libtar0_1.2.20-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEAREIAAYFAlL/1BcACgkQk7mRNn1h4+bTGwCfbWMxnN0+iRjfzdLNfE6IJvo/ FoEAnRjXkIJaTH89HhrtmidEkNeErBgh =pXuc -----END PGP SIGNATURE-----
--- End Message ---
