Your message dated Mon, 24 Feb 2014 21:47:17 +0000 with message-id <e1wi3mr-00015k...@franck.debian.org> and subject line Bug#731860: fixed in libtar 1.2.16-1+deb7u2 has caused the Debian Bug report #731860, regarding libtar: CVE-2013-4420: directory traversal when extracting archives to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 731860: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libtar Severity: grave Tags: security Hi, the following vulnerability was published for libtar. CVE-2013-4420[0]: tar_extract_glob and tar_extract_all path prefix directory traversal If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420 http://security-tracker.debian.org/tracker/CVE-2013-4420 Attached is a proposed patch that makes libtar work similarly to tar. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.netIndex: libtar-1.2.16/lib/decode.c =================================================================== --- libtar-1.2.16.orig/lib/decode.c 2013-12-09 14:11:03.212344872 +0100 +++ libtar-1.2.16/lib/decode.c 2013-12-09 14:49:19.865470471 +0100 @@ -21,24 +21,54 @@ # include <string.h> #endif +char * +safer_name_suffix (char const *file_name) +{ + char const *p, *t; + p = t = file_name; + while (*p) + { + if (p[0] == '.' && p[0] == p[1] && p[2] == '/') + { + p += 3; + t = p; + } + /* advance pointer past the next slash */ + while (*p && (p++)[0] != '/'); + } + + if (!*t) + { + t = "."; + } + + if (t != file_name) + { + /* TODO: warn somehow that the path was modified */ + } + return (char*)t; +} /* determine full path name */ char * th_get_pathname(TAR *t) { static char filename[MAXPATHLEN]; + char *safer_name; if (t->th_buf.gnu_longname) - return t->th_buf.gnu_longname; + return safer_name_suffix(t->th_buf.gnu_longname); + + safer_name = safer_name_suffix(t->th_buf.name); if (t->th_buf.prefix[0] != '\0') { snprintf(filename, sizeof(filename), "%.155s/%.100s", - t->th_buf.prefix, t->th_buf.name); + t->th_buf.prefix, safer_name); return filename; } - snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); + snprintf(filename, sizeof(filename), "%.100s", safer_name); return filename; } Index: libtar-1.2.16/lib/extract.c =================================================================== --- libtar-1.2.16.orig/lib/extract.c 2013-12-09 14:11:03.212344872 +0100 +++ libtar-1.2.16/lib/extract.c 2013-12-09 14:39:22.248955358 +0100 @@ -305,7 +305,7 @@ tar_extract_hardlink(TAR * t, char *real linktgt = &lnp[strlen(lnp) + 1]; } else - linktgt = th_get_linkname(t); + linktgt = safer_name_suffix(th_get_linkname(t)); #ifdef DEBUG printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); @@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna #ifdef DEBUG printf(" ==> extracting: %s (symlink to %s)\n", - filename, th_get_linkname(t)); + filename, safer_name_suffix(th_get_linkname(t))); #endif - if (symlink(th_get_linkname(t), filename) == -1) + if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) { #ifdef DEBUG perror("symlink()"); Index: libtar-1.2.16/lib/internal.h =================================================================== --- libtar-1.2.16.orig/lib/internal.h 2012-05-17 09:34:32.000000000 +0200 +++ libtar-1.2.16/lib/internal.h 2013-12-09 14:36:57.503866114 +0100 @@ -15,3 +15,4 @@ #include <libtar.h> +char* safer_name_suffix(char const*);
--- End Message ---
--- Begin Message ---Source: libtar Source-Version: 1.2.16-1+deb7u2 We believe that the bug you reported is fixed in the latest version of libtar, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 731...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Magnus Holmgren <holmg...@debian.org> (supplier of updated libtar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 16 Feb 2014 19:12:18 +0100 Source: libtar Binary: libtar-dev libtar0 Architecture: source amd64 Version: 1.2.16-1+deb7u2 Distribution: wheezy-security Urgency: low Maintainer: Magnus Holmgren <holmg...@debian.org> Changed-By: Magnus Holmgren <holmg...@debian.org> Description: libtar-dev - C library for manipulating tar archives (development files) libtar0 - C library for manipulating tar archives Closes: 731860 Changes: libtar (1.2.16-1+deb7u2) wheezy-security; urgency=low . * [SECURITY] CVE-2013-4420.patch: Strip out leading slashes and any pathname prefix containing ".." components (Closes: #731860). This is done in th_get_pathname() (as well as to symlink targets when extracting symlinks), not merely when extracting files, which means applications calling that function will not see the stored filename. There is no way to disable this behaviour, but it can be expected that one will be provided when the issue is solved upstream. * th_get_size-unsigned-int.patch: Make the th_get_size() macro cast the result from oct_to_int() to unsigned int. This is the right fix for bug #725938 on 64-bit systems, where a specially crafted tar file would not cause an integer overflow, but a memory allocation of almost 16 exbibytes, which would certainly fail outright without harm. Checksums-Sha1: 802ffdebb5f65af2e74f65f9b5a503b5e0d53855 1251 libtar_1.2.16-1+deb7u2.dsc 18afc654c0f8a212d5b958e4b7875919ba642d45 7707 libtar_1.2.16-1+deb7u2.debian.tar.gz c169e3aa47d06f244db8c2c779efcad9c6ce33dd 46670 libtar-dev_1.2.16-1+deb7u2_amd64.deb 05594ff225883b61b75a4aa065336c36487dfbc5 25210 libtar0_1.2.16-1+deb7u2_amd64.deb Checksums-Sha256: b63c5e990dccc47c6e969849cbe151510516459e3ba975135c3f6ed4f6816ace 1251 libtar_1.2.16-1+deb7u2.dsc 1cfa13f3a03db741ad8caf21cd28ba171cab26f0edf7f1d3227d0661ab47d572 7707 libtar_1.2.16-1+deb7u2.debian.tar.gz 6ab5b85bb870d5b728904898620306e03dcbac2feeb61965ddca22fb9d6dafb8 46670 libtar-dev_1.2.16-1+deb7u2_amd64.deb 2af1b13ed40acbc856e1430c4a1cf90832efe814aae51d9f8522bd7e943fdbec 25210 libtar0_1.2.16-1+deb7u2_amd64.deb Files: dee0c9ae99dcd5c12a887ede6e50f645 1251 libs optional libtar_1.2.16-1+deb7u2.dsc fe4bd92a58df28f61b943fcaf8b439f5 7707 libs optional libtar_1.2.16-1+deb7u2.debian.tar.gz c35289858ccbeded669071349793b833 46670 libdevel optional libtar-dev_1.2.16-1+deb7u2_amd64.deb 50ffe04c880ae9319c6c4f05aedeeabd 25210 libs optional libtar0_1.2.16-1+deb7u2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEAREIAAYFAlMBCYYACgkQk7mRNn1h4+bhUACeIzUS2mmZ429Jzs3z4jo0m8nr whcAmgJEDIxrnHYNmgjX7vWSd3ypSLcL =zEq8 -----END PGP SIGNATURE-----
--- End Message ---
