oss-sec mailing list archives
Re: libtar: missing validation of file names
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 10 Oct 2013 23:39:48 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/10/2013 01:28 PM, Naufragium Est wrote:
is this also CVE-worthy? https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.htmlThe functions tar_extract_glob and tar_extract_all accept a path prefix on where to extract files to. However, libtar does not validate the file names stored inside a tar file, possibly leading to a file extraction outside the prefix path. For example, consider a file name "../../etc/passwd". If extract_all is called with prefix "/home/USER/", libtar would try to overwrite "/etc/passwd".not fixed yet: https://lists.feep.net:8080/pipermail/libtar/2013-October/000362.htmlOnce I figure out the right way of handling this, there will probably be another libtar release.
Please use CVE-2013-4420 for libtar tar_extract_glob and tar_extract_all path prefix directory traversal - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSV48kAAoJEBYNRVNeJnmTZL8QALkqVWW7Y+Zn63hyNF6Hwt8M QfEi9gAacE+vDG6CEpFwMmHsJJRufGzUGSOjSz60z16U6zXri54FGDbkkaSgsQB8 fUV7x5prW1OfgK9YfZw80ei48Esf8w51IlrMcG5bkpwciMWwrKYpGQCWk71UxQ2a jFYdhpCw1hcD/ULSVJjS2NClI13/ZsaHqtU3wL2YDpHh/52Nbx+40jegA+EN2W9s u8jf+eWqy7kYs/VYYcsNH+jW3WZn/hGPGtymPEN9nkeeeIch8mvCA7rEdnKA37jW c3QECQPqVFK+VL0GEThX2xpN217o3r0TNr7dc3Xgyv61MYIeNBsFvjUmISMrAKOt SkrwFP8noJcv5usvNDONebGK7Uf6XlOTL4/eJKlS4iC+gqn4Ugo3ZROrBca9cCpF wh/+oodGXwuGLlWiWBduDibYrQWMhd5gbA96P7eOj6XSpHotWpbvDLDkyvc9Arv8 dIT3bHrKIEnU7L0qo7H+MsgBkH1A31wW1d6nQ0RQU6/v04MS2GkLjIJrOPeZ7nai uNcvgqQh0SRR1NAI49QSlfz6wO3Z/NUEmeLNxML0EMdxdhVJI+AlW/n1xwGv6j0p A636LXItisyXT2lbQcufkgUXqk6izh7SQ9IKdTCpgpXfRM4LDXfY1A2uFHu17CTm r56AGzsFqURdAAG1dnZi =ymrw -----END PGP SIGNATURE-----
Current thread:
- libtar: missing validation of file names Naufragium Est (Oct 10)
- Re: libtar: missing validation of file names Kurt Seifried (Oct 10)