Re: libtar: missing validation of file names

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2013 01:28 PM, Naufragium Est wrote:
> is this also CVE-worthy?
>
> https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
>
>
> > The functions tar_extract_glob and tar_extract_all accept a path
> > prefix on where to extract files to. However, libtar does not
> > validate the file names stored inside a tar file, possibly
> > leading to a file extraction outside the prefix path. For
> > example, consider a file name "../../etc/passwd". If extract_all
> > is called with prefix "/home/USER/", libtar would try to
> > overwrite "/etc/passwd".
>
> not fixed yet:
>
> https://lists.feep.net:8080/pipermail/libtar/2013-October/000362.html
>
>
> > Once I figure out the right way of handling this, there will
> > probably be another libtar release.

Please use CVE-2013-4420 for libtar tar_extract_glob and
tar_extract_all path prefix directory traversal

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV48kAAoJEBYNRVNeJnmTZL8QALkqVWW7Y+Zn63hyNF6Hwt8M
QfEi9gAacE+vDG6CEpFwMmHsJJRufGzUGSOjSz60z16U6zXri54FGDbkkaSgsQB8
fUV7x5prW1OfgK9YfZw80ei48Esf8w51IlrMcG5bkpwciMWwrKYpGQCWk71UxQ2a
jFYdhpCw1hcD/ULSVJjS2NClI13/ZsaHqtU3wL2YDpHh/52Nbx+40jegA+EN2W9s
u8jf+eWqy7kYs/VYYcsNH+jW3WZn/hGPGtymPEN9nkeeeIch8mvCA7rEdnKA37jW
c3QECQPqVFK+VL0GEThX2xpN217o3r0TNr7dc3Xgyv61MYIeNBsFvjUmISMrAKOt
SkrwFP8noJcv5usvNDONebGK7Uf6XlOTL4/eJKlS4iC+gqn4Ugo3ZROrBca9cCpF
wh/+oodGXwuGLlWiWBduDibYrQWMhd5gbA96P7eOj6XSpHotWpbvDLDkyvc9Arv8
dIT3bHrKIEnU7L0qo7H+MsgBkH1A31wW1d6nQ0RQU6/v04MS2GkLjIJrOPeZ7nai
uNcvgqQh0SRR1NAI49QSlfz6wO3Z/NUEmeLNxML0EMdxdhVJI+AlW/n1xwGv6j0p
A636LXItisyXT2lbQcufkgUXqk6izh7SQ9IKdTCpgpXfRM4LDXfY1A2uFHu17CTm
r56AGzsFqURdAAG1dnZi
=ymrw
-----END PGP SIGNATURE-----