Bug 514322

Summary: CVE-2007-4829 perl-Archive-Tar directory traversal flaws
Product: Red Hat Enterprise Linux 5 Reporter: Tuomo Soini <tis>
Component: perl-Archive-TarAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE <qe-baseos-auto>
Severity: low Docs Contact:
Priority: low    
Version: 5.3CC: ismail, jpazdziora, kasal, mmaslano, msuchy, robin.norwood, tis, vdanen
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=vendorsec,reported=20070812,public=20070824,impact=low
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: CVE-2007-4829 Environment:
Last Closed: 2009-07-29 01:27:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tuomo Soini 2009-07-28 20:46:24 UTC 
+++ This bug was initially created as a clone of Bug #295021 +++

Directory traversal vulnerability in Archive::Tar perl module allows
user-assisted remote attackers to overwrite arbitrary files writable by user
running application using this module via an absolute path or a .. (dot dot)
sequence in filenames in a TAR archive.

Similar issues were reported and fixed for GNU tar during past several years,
e.g.: CVE-2001-1267, CVE-2002-0399, CVE-2002-1216 and CVE-2007-4131.

This issue is important when this module is used to extract tar archives from
untrusted sources.  However, some of such applications either implement
workarounds / own checks (sa-update in spamassassin) or dropped module support
at all (amavisd-new).

--- Additional comment from thoger on 2007-09-18 12:20:50 EDT ---

Similar issue was reported for Python's tarfile module, see #263261.

--- Additional comment from thoger on 2007-09-24 14:30:12 EDT ---

Upstream bug report:

http://rt.cpan.org/Public/Bug/Display.html?id=29517


--- Additional comment from lkundrak on 2007-11-09 12:49:41 EDT ---

Is there any chance this will get addressed for fedora?

--- Additional comment from robin.norwood on 2007-11-09 13:23:19 EDT ---

Once we have a fix for it, that fix will go into all supported versions of
fedora ASAP.  We don't have a fix yet, though.

--- Additional comment from jpazdziora on 2008-03-05 09:25:11 EDT ---

The Archive::Tar 1.38 is now available on CPAN, with the following in CHANGES:

* important changes in vesrion 1.38    14/12/2007:
- Promote 1.37_01 to stable.

* important changes in version 1.37_01 11/11/2007:
_ Address #30380: directory traversal vulnerability in Archive-Tar
  - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing
    archives to extract files outside of cwd(). This is a backwards
    incompatible change from 1.36 and before.
  - Add a -I option to ptar to enable insecure extraction if needed

So using this version in Fedoras seems like a way to to go. The diff from 1.34
(which we have in F8 and rawhide) and 1.36 is VMS specific, and diff from 1.36
to 1.38 is exactly fix for this bugzilla, so it should be safe to rebase.

Hmmm. Should I put this note to release-specific bugzillas?

--- Additional comment from thoger on 2008-03-05 10:53:28 EDT ---

Sadly, upstream version 1.38 is still prone to the directory traversal attack
using symlinks, as described in old Willy Tarreau's BugTraq post:

http://marc.info/?l=bugtraq&m=90674255917321

That problem was already pointed out in the upstream bug report.

--- Additional comment from jpazdziora on 2008-03-05 11:03:49 EDT ---

You are right. I should have said "diff from 1.36 to 1.38 is a partial fix for
this bugzilla and not other changes".

Is it better to wait for definitive fix, or close that one hole that 1.38
addresses, for the time being?

--- Additional comment from msuchy on 2008-03-19 09:46:10 EDT ---

See:
http://rt.cpan.org/Ticket/Display.html?id=30380#txn-436899

--- Additional comment from lkundrak on 2008-04-04 11:56:17 EDT ---

Maintainers; could you please punch upstream about this a bit? In case not, what
about applying Mirek's patch referred to in comment $11?

--- Additional comment from thoger on 2008-04-07 06:02:10 EDT ---

(In reply to comment #12)
> Maintainers; could you please punch upstream about this a bit? In case not, what
> about applying Mirek's patch referred to in comment $11?

Sorry, Mirek's patch does not resolve the issue.


--- Additional comment from tis on 2008-12-11 01:14:20 EDT ---

This should now be fixed upstream.

--- Additional comment from thoger on 2008-12-11 03:50:55 EDT ---

1.40 does following to cover known vectors:

- absolute paths are rejected
- all paths that include '..' as one of the elements are rejected
- extracting to symlink directories is denied

(applies to default SECURE EXTRACT MODE)

perl-Archive-Tar is now core perl module (as of perl 5.10 / F9, iirc), so Fedora updates will have to go via perl update.

--- Additional comment from tis on 2008-12-11 05:17:12 EDT ---

rhel5 is still vulnerable...

--- Additional comment from updates on 2008-12-22 08:25:02 EDT ---

perl-5.10.0-52.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/perl-5.10.0-52.fc10

--- Additional comment from updates on 2008-12-30 18:44:35 EDT ---

perl-5.10.0-52.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 1 Tuomo Soini 2009-07-28 20:47:53 UTC 
RHEL 5 is still vulnerable...
Comment 2 Vincent Danen 2009-07-29 01:27:33 UTC 
We have issued a statement with NIST NVD which can be seen here:

https://www.redhat.com/security/data/cve/CVE-2007-4829.html

and:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4829

which indicates:

The Red Hat Security Response Team does not consider this bug to be a security issue. It is not suggested behavior to extract archives from untrusted sources without prior inspection of the archive contents.

*** This bug has been marked as a duplicate of bug 295021 ***