FS#51563 - [tar] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321)
Attached to Project:
Arch Linux
Opened by Pavol Hluchý (Lopo) - Friday, 28 October 2016, 04:21 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 03 November 2016, 13:11 GMT
Opened by Pavol Hluchý (Lopo) - Friday, 28 October 2016, 04:21 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 03 November 2016, 13:11 GMT
|
Details
Description:
GNU `tar' archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name(s) specified on the command line. Full info + patch: http://seclists.org/fulldisclosure/2016/Oct/96 |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Thursday, 03 November 2016, 13:11 GMT
Reason for closing: Fixed
Additional comments about closing: tar-1.29-2
Thursday, 03 November 2016, 13:11 GMT
Reason for closing: Fixed
Additional comments about closing: tar-1.29-2
The test suite didn't pass. I'm not sure if we have to trust this CVE/patch, considering that upstream refuse to consider the problem.
For reference, subject was posted on bug-tar: http://lists.gnu.org/archive/html/bug-tar/2016-10/msg00012.html
We could have a look at the test why it actually fails, i can try to build it at the weekend
[1]: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
Sparse files
138: sparse files ok
139: extracting sparse file over a pipe ok
140: storing sparse files > 8G ok
141: storing long sparse file names ok
142: listing sparse files bigger than 2^33 B ok
143: storing sparse file using seek method ok
144: sparse files in MV archives FAILED (sparsemv.at:31)
145: sparse files in PAX MV archives, v.0.0 ok
146: sparse files in PAX MV archives, v.0.1 ok
147: sparse files in PAX MV archives, v.1.0 ok