Date: Tue, 28 Aug 2007 22:41:54 GMT From: Nick Barkas <snb@threerings.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/115914: [patch] archivers/gtar directory traversal vulnerability Message-ID: <200708282241.l7SMfsoK060434@www.freebsd.org> Resent-Message-ID: <200708282250.l7SMo137096624@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 115914 >Category: ports >Synopsis: [patch] archivers/gtar directory traversal vulnerability >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Aug 28 22:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 7.0 >Organization: Three Rings Design >Environment: FreeBSD freebsd-current.localdomain 7.0-CURRENT-200706 FreeBSD 7.0-CURRENT-200706 #0: Sun Jun 3 18:41:02 UTC 2007 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: As reported here http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4131: "Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive." Attached is a patch to archivers/gtar that adds a tiny patch that I believe fixes this bug that was committed to gtar's cvs repository. Concatenated onto the same file (seems like the web interface only lets me upload a single patch) is another patch to security/vuxml/vuln.xml, adding a VuXML entry for this vulnerability. >How-To-Repeat: >Fix: Patch attached with submission follows: diff -urN gtar.orig/Makefile gtar/Makefile --- gtar.orig/Makefile Wed Aug 29 00:21:05 2007 +++ gtar/Makefile Wed Aug 29 00:21:35 2007 @@ -7,6 +7,7 @@ PORTNAME= tar PORTVERSION= 1.18 +PORTREVISION= 1 CATEGORIES= archivers sysutils MASTER_SITES= ${MASTER_SITE_GNU} MASTER_SITE_SUBDIR= ${PORTNAME} diff -urN gtar.orig/files/patch-src_names.c gtar/files/patch-src_names.c --- gtar.orig/files/patch-src_names.c Thu Jan 1 01:00:00 1970 +++ gtar/files/patch-src_names.c Wed Aug 29 00:24:57 2007 @@ -0,0 +1,15 @@ +--- src/names.c.orig Wed Aug 29 00:23:09 2007 ++++ src/names.c Wed Aug 29 00:24:07 2007 +@@ -1012,11 +1012,10 @@ + if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) + return 1; + +- do ++ while (! ISSLASH (*p)); + { + if (! *p++) + return 0; + } +- while (! ISSLASH (*p)); + } + } --- vuxml.orig/vuln.xml Tue Aug 28 23:42:25 2007 +++ vuxml/vuln.xml Wed Aug 29 00:36:15 2007 @@ -34,6 +34,37 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="d944719e-42f4-4864-89ed-f045b541919f"> + <topic>gtar -- Directory traversal vulnerability in contains_dot_dot function</topic> + <affects> + <package> + <name>gtar</name> + <range><lt>1.18_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Red Hat reports:</p> + <blockquote cite="http://rhn.redhat.com/errata/RHSA-2007-0860.html">; + <p>A path traversal flaw was discovered in the way GNU tar extracted archives. + A malicious user could create a tar archive that could write to arbitrary + files to which the user running GNU tar had write access.</p> + </blockquote> + <p>Red Hat credits Dmitry V. Levin for reporting the issue.</p> + </body> + </description> + <references> + <bid>25417</bid> + <cvename>CVE-2007-4131</cvename> + <url>http://rhn.redhat.com/errata/RHSA-2007-0860.html</url>; + <url>https://bugzilla.redhat.com/show_bug.cgi?id=251921</url>; + </references> + <dates> + <discovery>2007-8-23</discovery> + <entry>2007-8-28</entry> + </dates> + </vuln> + <vuln vid="d9867f50-54d0-11dc-b80b-0016179b2dd5"> <topic>claws-mail -- POP3 Format String Vulnerability</topic> <affects> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708282241.l7SMfsoK060434>