|
Message-ID: <20020928135205.GA26908@openwall.com> Date: Sat, 28 Sep 2002 17:52:05 +0400 From: Solar Designer <solar@...nwall.com> To: xvendor@...ts.openwall.com Cc: Paul Eggert <eggert@...nsun.com> Subject: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw) JFYI (and to avoid list lag), I've just sent this to Bugtraq. As all of this is public for 1 to 4 years, I think this and GNU tar in general may be discussed on xvendor rather than vendor-sec. Paul, -- is there anything more current than tar-1.13.25 (released over a year ago)? Perhaps a CVS repository? ----- Forwarded message from Solar Designer <solar@...nwall.com> ----- Date: Sat, 28 Sep 2002 17:39:33 +0400 From: Solar Designer <solar@...nwall.com> To: Bencsath Boldizsar <bencsath.boldizsar@...l2002.ebizlab.hit.bme.hu> Cc: bugtraq@...urityfocus.com Subject: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw) In-Reply-To: <Pine.LNX.4.44.0209270208190.21585-100000@...acontact.hu> User-Agent: Mutt/1.4i On Fri, Sep 27, 2002 at 02:11:07AM +0200, Bencsath Boldizsar wrote: > 2. Description of the "tar" problem > > Creating a tar file with -P option one can put any file names in the tar > file. While unpacking such tar files, tar is designed to remove leading > slash. Other security feature of the tar package is to deny deployment of > any files whose name contains "dotdot" (".."). A bug in the tar package > leads to a security flaw: > "../something" is denied by tar > "/something" leading slash is removed > "/../something" leading slash removed but ".." is NOT denied > "./../something" ".." is NOT denied. > > Although we found this bug by studying tar, we found that this bug has > been found by others, we should give them credit: I believe 3APA3A was first to post this to Bugtraq last year: http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666 At least 1.13.17 and 1.13.18 are known to get the contains_dot_dot() function right, some older versions certainly didn't have it. 1.13.19 introduced a bug which broke the check and it's still not fixed in 1.13.25. There's another related problem where tar could be made to follow a symlink it just extracted and place a file outside of the intended directory tree, pointed out on Bugtraq by Willy TARREAU in 1998: http://marc.theaimsgroup.com/?l=bugtraq&m=90674255917321 Paul Eggert included a fix for it in 1.13.18: "2000-10-23 ...Extract potentially dangerous symbolic links more carefully, deferring their creation until the end, and using a regular file placeholder in the meantime." However, he later broke it with a typo (reversed check) in 1.13.19. 1.13.25 has that check fixed again. I've now fixed these two bugs and a third (non-security) bug that 1.13.19 introduced for the Owl package, with proper credit to you and others involved, in both the package and the system-wide change log: http://www.openwall.com/Owl/CHANGES.shtml Although the two security bugs are now fixed, please keep in mind that tar has traditionally been intended for making and extracting tape backups rather than archives obtained from untrusted sources. Be very careful with what input you pass it and what user you run it as. I've attached the two security patches to this message. The dot-dot patch is valid for 1.13.19 to 1.13.25, the symlink patch is needed for 1.13.19 and possibly some versions after it but not 1.13.25. Other patches that we use may be obtained via: cvs -z3 -d :pserver:anoncvs:anoncvs@...ncvs.owl.openwall.com:/cvs co Owl/packages/tar or: http://www.openwall.com/Owl/ (and pick an FTP mirror) ftp://ftp.ru.openwall.com/pub/Owl/current/native.tar.gz -- /sd diff -ur tar-1.13.19.orig/src/misc.c tar-1.13.19/src/misc.c --- tar-1.13.19.orig/src/misc.c Sat Jan 13 08:59:29 2001 +++ tar-1.13.19/src/misc.c Sat Sep 28 13:48:03 2002 @@ -206,12 +206,12 @@ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) return 1; - do + while (! ISSLASH (*p)) { if (! *p++) return 0; } - while (! ISSLASH (*p)); + p++; } } . diff -ur tar-1.13.19.orig/src/extract.c tar-1.13.19/src/extract.c --- tar-1.13.19.orig/src/extract.c Sat Jan 13 08:59:29 2001 +++ tar-1.13.19/src/extract.c Sat Sep 28 15:37:33 2002 @@ -850,7 +850,7 @@ break; if (absolute_names_option - || (ISSLASH (current_link_name + || (! ISSLASH (current_link_name [FILESYSTEM_PREFIX_LEN (current_link_name)]) && ! contains_dot_dot (current_link_name))) { ----- End forwarded message -----
Powered by blists - more mailing lists
Please check out the xvendor mailing list charter.