From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue Aug 28 22:50:01 2007
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C981316A41B
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 28 Aug 2007 22:50:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 902E513C457
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 28 Aug 2007 22:50:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7SMo12W096625
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 28 Aug 2007 22:50:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7SMo137096624;
	Tue, 28 Aug 2007 22:50:01 GMT (envelope-from gnats)
Resent-Date: Tue, 28 Aug 2007 22:50:01 GMT
Resent-Message-Id: <200708282250.l7SMo137096624@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Nick Barkas <snb@threerings.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3088316A41A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 28 Aug 2007 22:41:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 193D213C45B
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 28 Aug 2007 22:41:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l7SMfsi0060435
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Aug 2007 22:41:54 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l7SMfsoK060434;
	Tue, 28 Aug 2007 22:41:54 GMT (envelope-from nobody)
Message-Id: <200708282241.l7SMfsoK060434@www.freebsd.org>
Date: Tue, 28 Aug 2007 22:41:54 GMT
From: Nick Barkas <snb@threerings.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: ports/115914: [patch] archivers/gtar directory traversal
	vulnerability
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2007 22:50:02 -0000


>Number:         115914
>Category:       ports
>Synopsis:       [patch] archivers/gtar directory traversal vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 28 22:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nick Barkas
>Release:        FreeBSD 7.0
>Organization:
Three Rings Design
>Environment:
FreeBSD freebsd-current.localdomain 7.0-CURRENT-200706 FreeBSD 7.0-CURRENT-200706 #0: Sun Jun  3 18:41:02 UTC 2007     root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
As reported here http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4131:

"Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive."

Attached is a patch to archivers/gtar that adds a tiny patch that I believe fixes this bug that was committed to gtar's cvs repository. Concatenated onto the same file (seems like the web interface only lets me upload a single patch) is another patch to security/vuxml/vuln.xml, adding a VuXML entry for this vulnerability.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -urN gtar.orig/Makefile gtar/Makefile
--- gtar.orig/Makefile	Wed Aug 29 00:21:05 2007
+++ gtar/Makefile	Wed Aug 29 00:21:35 2007
@@ -7,6 +7,7 @@
 
 PORTNAME=	tar
 PORTVERSION=	1.18
+PORTREVISION=	1
 CATEGORIES=	archivers sysutils
 MASTER_SITES=	${MASTER_SITE_GNU}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff -urN gtar.orig/files/patch-src_names.c gtar/files/patch-src_names.c
--- gtar.orig/files/patch-src_names.c	Thu Jan  1 01:00:00 1970
+++ gtar/files/patch-src_names.c	Wed Aug 29 00:24:57 2007
@@ -0,0 +1,15 @@
+--- src/names.c.orig	Wed Aug 29 00:23:09 2007
++++ src/names.c	Wed Aug 29 00:24:07 2007
+@@ -1012,11 +1012,10 @@
+       if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+ 	return 1;
+ 
+-      do
++      while (! ISSLASH (*p));
+ 	{
+ 	  if (! *p++)
+ 	    return 0;
+ 	}
+-      while (! ISSLASH (*p));
+     }
+ }



--- vuxml.orig/vuln.xml	Tue Aug 28 23:42:25 2007
+++ vuxml/vuln.xml	Wed Aug 29 00:36:15 2007
@@ -34,6 +34,37 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="d944719e-42f4-4864-89ed-f045b541919f">
+    <topic>gtar -- Directory traversal vulnerability in contains_dot_dot function</topic>
+    <affects>
+      <package>
+        <name>gtar</name>
+        <range><lt>1.18_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>Red Hat reports:</p>
+        <blockquote cite="http://rhn.redhat.com/errata/RHSA-2007-0860.html">
+          <p>A path traversal flaw was discovered in the way GNU tar extracted archives.
+          A malicious user could create a tar archive that could write to arbitrary
+          files to which the user running GNU tar had write access.</p>
+        </blockquote>
+	<p>Red Hat credits Dmitry V. Levin for reporting the issue.</p>
+      </body>
+    </description>
+    <references>
+      <bid>25417</bid>
+      <cvename>CVE-2007-4131</cvename>
+      <url>http://rhn.redhat.com/errata/RHSA-2007-0860.html</url>
+      <url>https://bugzilla.redhat.com/show_bug.cgi?id=251921</url>
+    </references>
+    <dates>
+      <discovery>2007-8-23</discovery>
+      <entry>2007-8-28</entry>
+    </dates>
+  </vuln>  
+
   <vuln vid="d9867f50-54d0-11dc-b80b-0016179b2dd5">
     <topic>claws-mail -- POP3 Format String Vulnerability</topic>
     <affects>


>Release-Note:
>Audit-Trail:
>Unformatted: