Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1588760 - (CVE-2018-12015) CVE-2018-12015 perl: Directory traversal in Archive::Tar
CVE-2018-12015 perl: Directory traversal in Archive::Tar
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180607,repor...
: Security
Depends On: 1592803 1592804 1592805 1588761 1591205 1592806
Blocks: 1588762
  Show dependency treegraph
 
Reported: 2018-06-07 15:51 EDT by Pedro Sampaio
Modified: 2018-09-19 08:38 EDT (History)
17 users (show)

See Also:
Fixed In Version: perl-Archive-Tar 2.28
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
CPAN 125523 None None None 2018-06-08 02:00 EDT

  None (edit)
Description Pedro Sampaio 2018-06-07 15:51:57 EDT 
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Comment 1 Pedro Sampaio 2018-06-07 15:52:54 EDT 
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1588761]
Comment 2 Petr Pisar 2018-06-12 04:22:12 EDT 
Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package.
Comment 3 Cedric Buissart 2018-06-14 04:06:57 EDT 
(In reply to Petr Pisar from comment #2)
> Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide
> Archive::Tar module by perl source package, but by perl-Archive-Tar source
> package.
Corrected. However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)
Comment 4 Petr Pisar 2018-06-14 04:59:21 EDT 
(In reply to Cedric Buissart from comment #3)
> However, it seems that RHEL-5 also provides perl-Archive-Tar as
> source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)

You are right. RHEL-5 also has a standalone perl-Archive-Tar. perl-5.8.8 never distributed Archive::Tar because upstream started to bundle it with perl sources since 5.9.3.
Comment 5 Cedric Buissart 2018-06-14 05:33:10 EDT 
Created perl-Archive-Tar tracking bugs for this issue:

Affects: fedora-all [bug 1591205]
Comment 8 Fedora Update System 2018-06-18 11:15:53 EDT 
perl-Archive-Tar-2.28-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2018-06-18 12:17:48 EDT 
perl-Archive-Tar-2.28-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Cedric Buissart 2018-06-29 08:05:54 EDT 
Upstream fix:
https://github.com/jib/archive-tar-new/commit/ae65651eab05
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.