Bug 1588760 (CVE-2018-12015)

Summary: CVE-2018-12015 perl: Directory traversal in Archive::Tar
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alexl, caillon+fedoraproject, caolanm, cbuissar, hhorak, john.j5live, jorton, jplesnik, kasal, perl-devel, perl-maint-list, ppisar, psabata, rhughes, rstrode, sandmann, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-Archive-Tar 2.28 Doc Type: If docs needed, set a value
Doc Text:
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:18:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1588761, 1591205, 1592803, 1592804, 1592805, 1592806    
Bug Blocks: 1588762    

Description Pedro Sampaio 2018-06-07 19:51:57 UTC 
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Comment 1 Pedro Sampaio 2018-06-07 19:52:54 UTC 
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1588761]
Comment 2 Petr Pisar 2018-06-12 08:22:12 UTC 
Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package.
Comment 3 Cedric Buissart 2018-06-14 08:06:57 UTC 
(In reply to Petr Pisar from comment #2)
> Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide
> Archive::Tar module by perl source package, but by perl-Archive-Tar source
> package.
Corrected. However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)
Comment 4 Petr Pisar 2018-06-14 08:59:21 UTC 
(In reply to Cedric Buissart from comment #3)
> However, it seems that RHEL-5 also provides perl-Archive-Tar as
> source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)

You are right. RHEL-5 also has a standalone perl-Archive-Tar. perl-5.8.8 never distributed Archive::Tar because upstream started to bundle it with perl sources since 5.9.3.
Comment 5 Cedric Buissart 2018-06-14 09:33:10 UTC 
Created perl-Archive-Tar tracking bugs for this issue:

Affects: fedora-all [bug 1591205]
Comment 8 Fedora Update System 2018-06-18 15:15:53 UTC 
perl-Archive-Tar-2.28-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2018-06-18 16:17:48 UTC 
perl-Archive-Tar-2.28-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Cedric Buissart 2018-06-29 12:05:54 UTC 
Upstream fix:
https://github.com/jib/archive-tar-new/commit/ae65651eab05
Comment 12 errata-xmlrpc 2019-08-06 12:13:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2097 https://access.redhat.com/errata/RHSA-2019:2097
Comment 13 Product Security DevOps Team 2019-08-06 19:18:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12015