FS#51563 - [tar] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321)

Attached to Project: Arch Linux
Opened by Pavol Hluchý (Lopo) - Friday, 28 October 2016, 04:21 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 03 November 2016, 13:11 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sébastien Luttringer (seblu)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

GNU `tar' archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name(s) specified on the command line.


Full info + patch:

http://seclists.org/fulldisclosure/2016/Oct/96
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Thursday, 03 November 2016, 13:11 GMT
Reason for closing:  Fixed
Additional comments about closing:  tar-1.29-2
Comment by Sébastien Luttringer (seblu) - Friday, 28 October 2016, 13:20 GMT
I built a version with the provided patch (changing path to lib/paxnames.c to works with the tar's tarball). It apply without code modification.

The test suite didn't pass. I'm not sure if we have to trust this CVE/patch, considering that upstream refuse to consider the problem.

For reference, subject was posted on bug-tar: http://lists.gnu.org/archive/html/bug-tar/2016-10/msg00012.html
Comment by Levente Polyak (anthraxx) - Friday, 28 October 2016, 14:27 GMT
well the writeup is quite verbose and i'm not quite sure why it was not yet considered as a real problem upstream.
We could have a look at the test why it actually fails, i can try to build it at the weekend
Comment by Remi Gacogne (rgacogne) - Wednesday, 02 November 2016, 13:03 GMT
FWIW, the following patch [1] has now been committed upstream.

[1]: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
Comment by Sébastien Luttringer (seblu) - Wednesday, 02 November 2016, 19:54 GMT
Thanks Remi. This new patch looks completely different, but there is still a failure on test 144 with the i686.

Sparse files

138: sparse files ok
139: extracting sparse file over a pipe ok
140: storing sparse files > 8G ok
141: storing long sparse file names ok
142: listing sparse files bigger than 2^33 B ok
143: storing sparse file using seek method ok
144: sparse files in MV archives FAILED (sparsemv.at:31)
145: sparse files in PAX MV archives, v.0.0 ok
146: sparse files in PAX MV archives, v.0.1 ok
147: sparse files in PAX MV archives, v.1.0 ok

Comment by Sébastien Luttringer (seblu) - Thursday, 03 November 2016, 11:01 GMT
tar-1.29-2 is uploaded with the last patch. Test suite passed.

Loading...