Bug 295021 (CVE-2007-4829) - CVE-2007-4829 perl-Archive-Tar directory traversal flaws
Summary: CVE-2007-4829 perl-Archive-Tar directory traversal flaws
Alias: CVE-2007-4829
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 514322 (view as bug list)
Depends On: 315321 315331 364281 364291 430738 430739 430740 595731 595732 595733 595734 833952
TreeView+ depends on / blocked
Reported: 2007-09-18 16:18 UTC by Tomas Hoger
Modified: 2021-11-12 19:44 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 514322 (view as bug list)
Last Closed: 2010-07-01 20:50:54 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0505 0 normal SHIPPED_LIVE Moderate: perl-Archive-Tar security update 2010-07-01 18:58:18 UTC

Description Tomas Hoger 2007-09-18 16:18:42 UTC
Directory traversal vulnerability in Archive::Tar perl module allows
user-assisted remote attackers to overwrite arbitrary files writable by user
running application using this module via an absolute path or a .. (dot dot)
sequence in filenames in a TAR archive.

Similar issues were reported and fixed for GNU tar during past several years,
e.g.: CVE-2001-1267, CVE-2002-0399, CVE-2002-1216 and CVE-2007-4131.

This issue is important when this module is used to extract tar archives from
untrusted sources.  However, some of such applications either implement
workarounds / own checks (sa-update in spamassassin) or dropped module support
at all (amavisd-new).

Comment 1 Tomas Hoger 2007-09-18 16:20:50 UTC
Similar issue was reported for Python's tarfile module, see #263261.

Comment 2 Tomas Hoger 2007-09-24 18:30:12 UTC
Upstream bug report:


Comment 5 Lubomir Kundrak 2007-11-09 17:49:41 UTC
Is there any chance this will get addressed for fedora?

Comment 6 Robin Norwood 2007-11-09 18:23:19 UTC
Once we have a fix for it, that fix will go into all supported versions of
fedora ASAP.  We don't have a fix yet, though.

Comment 8 Jan Pazdziora 2008-03-05 14:25:11 UTC
The Archive::Tar 1.38 is now available on CPAN, with the following in CHANGES:

* important changes in vesrion 1.38    14/12/2007:
- Promote 1.37_01 to stable.

* important changes in version 1.37_01 11/11/2007:
_ Address #30380: directory traversal vulnerability in Archive-Tar
  - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing
    archives to extract files outside of cwd(). This is a backwards
    incompatible change from 1.36 and before.
  - Add a -I option to ptar to enable insecure extraction if needed

So using this version in Fedoras seems like a way to to go. The diff from 1.34
(which we have in F8 and rawhide) and 1.36 is VMS specific, and diff from 1.36
to 1.38 is exactly fix for this bugzilla, so it should be safe to rebase.

Hmmm. Should I put this note to release-specific bugzillas?

Comment 9 Tomas Hoger 2008-03-05 15:53:28 UTC
Sadly, upstream version 1.38 is still prone to the directory traversal attack
using symlinks, as described in old Willy Tarreau's BugTraq post:


That problem was already pointed out in the upstream bug report.

Comment 10 Jan Pazdziora 2008-03-05 16:03:49 UTC
You are right. I should have said "diff from 1.36 to 1.38 is a partial fix for
this bugzilla and not other changes".

Is it better to wait for definitive fix, or close that one hole that 1.38
addresses, for the time being?

Comment 11 Miroslav Suchý 2008-03-19 13:46:10 UTC

Comment 12 Lubomir Kundrak 2008-04-04 15:56:17 UTC
Maintainers; could you please punch upstream about this a bit? In case not, what
about applying Mirek's patch referred to in comment $11?

Comment 13 Tomas Hoger 2008-04-07 10:02:10 UTC
(In reply to comment #12)
> Maintainers; could you please punch upstream about this a bit? In case not, what
> about applying Mirek's patch referred to in comment $11?

Sorry, Mirek's patch does not resolve the issue.

Comment 15 Tuomo Soini 2008-12-11 06:14:20 UTC
This should now be fixed upstream.

Comment 16 Tomas Hoger 2008-12-11 08:50:55 UTC
1.40 does following to cover known vectors:

- absolute paths are rejected
- all paths that include '..' as one of the elements are rejected
- extracting to symlink directories is denied

(applies to default SECURE EXTRACT MODE)

perl-Archive-Tar is now core perl module (as of perl 5.10 / F9, iirc), so Fedora updates will have to go via perl update.

Comment 17 Tuomo Soini 2008-12-11 10:17:12 UTC
rhel5 is still vulnerable...

Comment 18 Fedora Update System 2008-12-22 13:25:02 UTC
perl-5.10.0-52.fc10 has been submitted as an update for Fedora 10.

Comment 19 Fedora Update System 2008-12-30 23:44:35 UTC
perl-5.10.0-52.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Vincent Danen 2009-07-29 01:27:33 UTC
*** Bug 514322 has been marked as a duplicate of this bug. ***

Comment 21 Tuomo Soini 2010-03-31 07:26:14 UTC
I'd like to point out that perl-Archive-Tar-1.30-1.fc6 which is in rhel5 is still vulnerable as of rhel-5.5.

Comment 22 Vincent Danen 2010-04-06 14:53:10 UTC
We had provided an NVD statement for this regarding Red Hat Enterprise Linux 5:


It should have been noted here as well, however.

The Red Hat Security Response Team does not consider this bug to be a security issue. It is not suggested behavior to extract archives from untrusted sources without prior inspection of the archive contents.

Comment 32 Tomas Hoger 2010-05-25 13:32:42 UTC
Raising priority here to make sure perl-Archive-Tar versions in RHEL4 and RHEL5 are update to address this issue.

This flaw in perl-Archive-Tar did not affect other components shipped in RHEL using this perl module, as extract() method is not used.

It should also be noted that update Archive::Tar may fail to extract certain non-standard, but non-malicious archives that use one of the restricted paths or links (see comment #16), but don't attempt to leave current working directory during the archive extraction.

Comment 39 errata-xmlrpc 2010-07-01 18:58:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2010:0505 https://rhn.redhat.com/errata/RHSA-2010-0505.html

Note You need to log in before you can comment on or make changes to this bug.