GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

[Solar Designer <solar () openwall com>]

On Fri, Sep 27, 2002 at 02:11:07AM +0200, Bencsath Boldizsar wrote:
> 2. Description of the "tar" problem
>
> Creating a tar file with -P option one can put any file names in the tar
> file. While unpacking such tar files, tar is designed to remove leading
> slash. Other security feature of the tar package is to deny deployment of
> any files whose name contains "dotdot" (".."). A bug in the tar package
> leads to a security flaw:
> "../something" is denied by tar
> "/something" leading slash is removed
> "/../something"  leading slash removed but ".." is NOT denied
> "./../something" ".." is NOT denied.
>
> Although we found this bug by studying tar, we found that this bug has
> been found by others, we should give them credit:

I believe 3APA3A was first to post this to Bugtraq last year:

http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666

At least 1.13.17 and 1.13.18 are known to get the contains_dot_dot()
function right, some older versions certainly didn't have it.  1.13.19
introduced a bug which broke the check and it's still not fixed in
1.13.25.

There's another related problem where tar could be made to follow a
symlink it just extracted and place a file outside of the intended
directory tree, pointed out on Bugtraq by Willy TARREAU in 1998:

http://marc.theaimsgroup.com/?l=bugtraq&m=90674255917321

Paul Eggert included a fix for it in 1.13.18:

"2000-10-23

...Extract potentially dangerous symbolic links more carefully,
deferring their creation until the end, and using a regular file
placeholder in the meantime."

However, he later broke it with a typo (reversed check) in 1.13.19.
1.13.25 has that check fixed again.

I've now fixed these two bugs and a third (non-security) bug that
1.13.19 introduced for the Owl package, with proper credit to you and
others involved, in both the package and the system-wide change log:

http://www.openwall.com/Owl/CHANGES.shtml

Although the two security bugs are now fixed, please keep in mind that
tar has traditionally been intended for making and extracting tape
backups rather than archives obtained from untrusted sources.  Be very
careful with what input you pass it and what user you run it as.

I've attached the two security patches to this message.  The dot-dot
patch is valid for 1.13.19 to 1.13.25, the symlink patch is needed for
1.13.19 and possibly some versions after it but not 1.13.25.  Other
patches that we use may be obtained via:

cvs -z3 -d :pserver:anoncvs:anoncvs () anoncvs owl openwall com:/cvs co Owl/packages/tar

or:

http://www.openwall.com/Owl/ (and pick an FTP mirror)
ftp://ftp.ru.openwall.com/pub/Owl/current/native.tar.gz

-- 
/sd

Attachment: tar-1.13.19-owl-dot-dot.diff
Description:

Attachment: tar-1.13.19-owl-symlinks.diff
Description: