|
Message-ID: <52578F24.8050700@redhat.com> Date: Thu, 10 Oct 2013 23:39:48 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: libtar: missing validation of file names -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/10/2013 01:28 PM, Naufragium Est wrote: > is this also CVE-worthy? > > https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html > > >> The functions tar_extract_glob and tar_extract_all accept a path >> prefix on where to extract files to. However, libtar does not >> validate the file names stored inside a tar file, possibly >> leading to a file extraction outside the prefix path. For >> example, consider a file name "../../etc/passwd". If extract_all >> is called with prefix "/home/USER/", libtar would try to >> overwrite "/etc/passwd". > > not fixed yet: > > https://lists.feep.net:8080/pipermail/libtar/2013-October/000362.html > > >> Once I figure out the right way of handling this, there will >> probably be another libtar release. Please use CVE-2013-4420 for libtar tar_extract_glob and tar_extract_all path prefix directory traversal - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSV48kAAoJEBYNRVNeJnmTZL8QALkqVWW7Y+Zn63hyNF6Hwt8M QfEi9gAacE+vDG6CEpFwMmHsJJRufGzUGSOjSz60z16U6zXri54FGDbkkaSgsQB8 fUV7x5prW1OfgK9YfZw80ei48Esf8w51IlrMcG5bkpwciMWwrKYpGQCWk71UxQ2a jFYdhpCw1hcD/ULSVJjS2NClI13/ZsaHqtU3wL2YDpHh/52Nbx+40jegA+EN2W9s u8jf+eWqy7kYs/VYYcsNH+jW3WZn/hGPGtymPEN9nkeeeIch8mvCA7rEdnKA37jW c3QECQPqVFK+VL0GEThX2xpN217o3r0TNr7dc3Xgyv61MYIeNBsFvjUmISMrAKOt SkrwFP8noJcv5usvNDONebGK7Uf6XlOTL4/eJKlS4iC+gqn4Ugo3ZROrBca9cCpF wh/+oodGXwuGLlWiWBduDibYrQWMhd5gbA96P7eOj6XSpHotWpbvDLDkyvc9Arv8 dIT3bHrKIEnU7L0qo7H+MsgBkH1A31wW1d6nQ0RQU6/v04MS2GkLjIJrOPeZ7nai uNcvgqQh0SRR1NAI49QSlfz6wO3Z/NUEmeLNxML0EMdxdhVJI+AlW/n1xwGv6j0p A636LXItisyXT2lbQcufkgUXqk6izh7SQ9IKdTCpgpXfRM4LDXfY1A2uFHu17CTm r56AGzsFqURdAAG1dnZi =ymrw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.