Bug 1588760 (CVE-2018-12015) - CVE-2018-12015 perl: Directory traversal in Archive::Tar
Summary: CVE-2018-12015 perl: Directory traversal in Archive::Tar
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12015
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1588761 1591205 1592803 1592804 1592805 1592806
Blocks: 1588762
TreeView+ depends on / blocked
 
Reported: 2018-06-07 19:51 UTC by Pedro Sampaio
Modified: 2023-09-07 19:11 UTC (History)
17 users (show)

Fixed In Version: perl-Archive-Tar 2.28
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
Clone Of:
Environment:
Last Closed: 2019-08-06 19:18:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
CPAN 125523 0 None None None 2018-06-08 06:00:51 UTC
Red Hat Product Errata RHSA-2019:2097 0 None None None 2019-08-06 12:13:50 UTC

Description Pedro Sampaio 2018-06-07 19:51:57 UTC 
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Comment 1 Pedro Sampaio 2018-06-07 19:52:54 UTC 
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1588761]
Comment 2 Petr Pisar 2018-06-12 08:22:12 UTC 
Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package.
Comment 3 Cedric Buissart 2018-06-14 08:06:57 UTC 
(In reply to Petr Pisar from comment #2)
> Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide
> Archive::Tar module by perl source package, but by perl-Archive-Tar source
> package.
Corrected. However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)
Comment 4 Petr Pisar 2018-06-14 08:59:21 UTC 
(In reply to Cedric Buissart from comment #3)
> However, it seems that RHEL-5 also provides perl-Archive-Tar as
> source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)

You are right. RHEL-5 also has a standalone perl-Archive-Tar. perl-5.8.8 never distributed Archive::Tar because upstream started to bundle it with perl sources since 5.9.3.
Comment 5 Cedric Buissart 2018-06-14 09:33:10 UTC 
Created perl-Archive-Tar tracking bugs for this issue:

Affects: fedora-all [bug 1591205]
Comment 8 Fedora Update System 2018-06-18 15:15:53 UTC 
perl-Archive-Tar-2.28-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2018-06-18 16:17:48 UTC 
perl-Archive-Tar-2.28-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Cedric Buissart 2018-06-29 12:05:54 UTC 
Upstream fix:
https://github.com/jib/archive-tar-new/commit/ae65651eab05
Comment 12 errata-xmlrpc 2019-08-06 12:13:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2097 https://access.redhat.com/errata/RHSA-2019:2097
Comment 13 Product Security DevOps Team 2019-08-06 19:18:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12015
Note You need to log in before you can comment on or make changes to this bug.