ports/115914: [patch] archivers/gtar directory traversal vulnerability
Nick Barkas
snb at threerings.net
Tue Aug 28 22:50:02 UTC 2007
>Number: 115914
>Category: ports
>Synopsis: [patch] archivers/gtar directory traversal vulnerability
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 28 22:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: FreeBSD 7.0
>Organization:
Three Rings Design
>Environment:
FreeBSD freebsd-current.localdomain 7.0-CURRENT-200706 FreeBSD 7.0-CURRENT-200706 #0: Sun Jun 3 18:41:02 UTC 2007 root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
As reported here http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4131:
"Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive."
Attached is a patch to archivers/gtar that adds a tiny patch that I believe fixes this bug that was committed to gtar's cvs repository. Concatenated onto the same file (seems like the web interface only lets me upload a single patch) is another patch to security/vuxml/vuln.xml, adding a VuXML entry for this vulnerability.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff -urN gtar.orig/Makefile gtar/Makefile
--- gtar.orig/Makefile Wed Aug 29 00:21:05 2007
+++ gtar/Makefile Wed Aug 29 00:21:35 2007
@@ -7,6 +7,7 @@
PORTNAME= tar
PORTVERSION= 1.18
+PORTREVISION= 1
CATEGORIES= archivers sysutils
MASTER_SITES= ${MASTER_SITE_GNU}
MASTER_SITE_SUBDIR= ${PORTNAME}
diff -urN gtar.orig/files/patch-src_names.c gtar/files/patch-src_names.c
--- gtar.orig/files/patch-src_names.c Thu Jan 1 01:00:00 1970
+++ gtar/files/patch-src_names.c Wed Aug 29 00:24:57 2007
@@ -0,0 +1,15 @@
+--- src/names.c.orig Wed Aug 29 00:23:09 2007
++++ src/names.c Wed Aug 29 00:24:07 2007
+@@ -1012,11 +1012,10 @@
+ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+ return 1;
+
+- do
++ while (! ISSLASH (*p));
+ {
+ if (! *p++)
+ return 0;
+ }
+- while (! ISSLASH (*p));
+ }
+ }
--- vuxml.orig/vuln.xml Tue Aug 28 23:42:25 2007
+++ vuxml/vuln.xml Wed Aug 29 00:36:15 2007
@@ -34,6 +34,37 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="d944719e-42f4-4864-89ed-f045b541919f">
+ <topic>gtar -- Directory traversal vulnerability in contains_dot_dot function</topic>
+ <affects>
+ <package>
+ <name>gtar</name>
+ <range><lt>1.18_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Red Hat reports:</p>
+ <blockquote cite="http://rhn.redhat.com/errata/RHSA-2007-0860.html">
+ <p>A path traversal flaw was discovered in the way GNU tar extracted archives.
+ A malicious user could create a tar archive that could write to arbitrary
+ files to which the user running GNU tar had write access.</p>
+ </blockquote>
+ <p>Red Hat credits Dmitry V. Levin for reporting the issue.</p>
+ </body>
+ </description>
+ <references>
+ <bid>25417</bid>
+ <cvename>CVE-2007-4131</cvename>
+ <url>http://rhn.redhat.com/errata/RHSA-2007-0860.html</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=251921</url>
+ </references>
+ <dates>
+ <discovery>2007-8-23</discovery>
+ <entry>2007-8-28</entry>
+ </dates>
+ </vuln>
+
<vuln vid="d9867f50-54d0-11dc-b80b-0016179b2dd5">
<topic>claws-mail -- POP3 Format String Vulnerability</topic>
<affects>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list