Bug 1588760 (CVE-2018-12015)
Summary: | CVE-2018-12015 perl: Directory traversal in Archive::Tar | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alexl, caillon+fedoraproject, caolanm, cbuissar, hhorak, john.j5live, jorton, jplesnik, kasal, perl-devel, perl-maint-list, ppisar, psabata, rhughes, rstrode, sandmann, steve |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | perl-Archive-Tar 2.28 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 19:18:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1588761, 1591205, 1592803, 1592804, 1592805, 1592806 | ||
Bug Blocks: | 1588762 |
Description
Pedro Sampaio
2018-06-07 19:51:57 UTC
Created perl tracking bugs for this issue: Affects: fedora-all [bug 1588761] Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package. (In reply to Petr Pisar from comment #2) > Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide > Archive::Tar module by perl source package, but by perl-Archive-Tar source > package. Corrected. However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source) (In reply to Cedric Buissart from comment #3) > However, it seems that RHEL-5 also provides perl-Archive-Tar as > source (i.e.: only RHEL-6 has Archive::Tar merged into perl source) You are right. RHEL-5 also has a standalone perl-Archive-Tar. perl-5.8.8 never distributed Archive::Tar because upstream started to bundle it with perl sources since 5.9.3. Created perl-Archive-Tar tracking bugs for this issue: Affects: fedora-all [bug 1591205] perl-Archive-Tar-2.28-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. perl-Archive-Tar-2.28-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2097 https://access.redhat.com/errata/RHSA-2019:2097 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-12015 |