headers
Solar Designer | 28 Sep 15:52

Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

JFYI (and to avoid list lag), I've just sent this to Bugtraq.  As all
of this is public for 1 to 4 years, I think this and GNU tar in
general may be discussed on xvendor rather than vendor-sec.

Paul, -- is there anything more current than tar-1.13.25 (released
over a year ago)?  Perhaps a CVS repository?

----- Forwarded message from Solar Designer <solar@...> -----

Date: Sat, 28 Sep 2002 17:39:33 +0400
From: Solar Designer <solar@...>
To: Bencsath Boldizsar <bencsath.boldizsar@...>
Cc: bugtraq@...
Subject: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)
In-Reply-To: <Pine.LNX.4.44.0209270208190.21585-100000@...>
User-Agent: Mutt/1.4i

On Fri, Sep 27, 2002 at 02:11:07AM +0200, Bencsath Boldizsar wrote:
> 2. Description of the "tar" problem
> 
> Creating a tar file with -P option one can put any file names in the tar
> file. While unpacking such tar files, tar is designed to remove leading
> slash. Other security feature of the tar package is to deny deployment of
> any files whose name contains "dotdot" (".."). A bug in the tar package
> leads to a security flaw:
> "../something" is denied by tar
> "/something" leading slash is removed
> "/../something"  leading slash removed but ".." is NOT denied
> "./../something" ".." is NOT denied.
>
(Continue reading)

Permalink | Reply |
headers
Mark J Cox | 28 Sep 22:19
Favicon

Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

> Paul, -- is there anything more current than tar-1.13.25 (released
> over a year ago)?  Perhaps a CVS repository?

Yes we noticed this problem with ./../ not being caught and told the tar
folks.  We allocated CAN-2002-0399 for this, wrote a patch, prepared an 
errata, but waited to see if an official fix was coming.  

Date: Mon, 27 May 2002 11:44:58 +0100 (BST)
From: Mark J Cox <mjc@...>
To: bug-tar@..., eggert@...
Cc: teg@..., bbrock@...
Subject: [SECURITY] bug in contains_dot_dot routine

We've recently been looking at the vulnerability mentioned on bugtraq
nearly a year ago:

"Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows
local users overwrite arbitrary files during archive extraction via a tar
file whose filenames contain a .. (dot dot)."  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267

This was fixed by the routine contains_dot_dot in misc.c in tar, which
catches the case where a tar file contains an entry such as "../foo"

However during testing of 1.13.25 we found that we could still trigger
this problem with an entry such as "./../foo" and this is due to a logic
error in misc.c

I've attached a small patch that fixes this (I didn't spend time looking
to see if multiple ISSLASH are already stripped, if so you could optimize
(Continue reading)

Permalink | Reply |
headers
Solar Designer | 29 Sep 09:02

Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

On Sat, Sep 28, 2002 at 09:19:42PM +0100, Mark J Cox wrote:
> Yes we noticed this problem with ./../ not being caught and told the tar
> folks.

I know, -- your message on this is referenced with our fix.

> We allocated CAN-2002-0399 for this,

I'm confused.  CAN-2001-1267 or CAN-2002-0399?

I've now added a reference to CAN-2001-1267.

> wrote a patch, prepared an errata, but waited to see if an official
> fix was coming.  

Well, with two Bugtraq announcements, I don't think it makes sense to
wait any longer.

Do you also have a CVE number for the symlink issue (see the 1998
Bugtraq posting)?

> We've recently been looking at the vulnerability mentioned on bugtraq
> nearly a year ago:
> 
> "Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows
> local users overwrite arbitrary files during archive extraction via a tar
> file whose filenames contain a .. (dot dot)."  
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267

3APA3A was slightly wrong when saying "and earlier".  At least some
(Continue reading)

Permalink | Reply |
headers
Mark J Cox | 29 Sep 13:43
Favicon

Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

> > We allocated CAN-2002-0399 for this,
> 
> I'm confused.  CAN-2001-1267 or CAN-2002-0399?

Well CAN-2001-1267 is for the original issue " Directory traversal
vulnerability in GNU tar 1.13.19 and earlier allows local users overwrite
arbitrary files during archive extraction via a tar file whose filenames
contain a .. (dot dot).".  The general approach in the past has basically
been "if the vendor didn't fix the issue properly the first time, keep the
same CAN."  But that goes against the more common-sense "rule" that if an
issue appears in version X but not version X-1, it should be separated
from an issue that's in X-1.  

So I discussed it with the CVE team and they said use CAN-2002-0399 for
the vulnerability that "due to a logic error GNU tar up to and including
1.3.25 are vulnerable to a ./.. extraction problem"

> Well, with two Bugtraq announcements, I don't think it makes sense to
> wait any longer.

I noticed that our errata came out of QA this weekend too, so we'll 
probably pop that out tommorrow.

> Do you also have a CVE number for the symlink issue (see the 1998
> Bugtraq posting)?

I couldn't find one for that, we'll need to ask Mitre for one (since it's
an old issue I can't allocate one).  Mail "coley@..." with the
URL reference, he's usually pretty quick at allocating unless the issue is
complex.
(Continue reading)

Permalink | Reply |

Gmane