Bug 155901 - app-arch/tar symlink directory traversal? (CVE-2006-6097)
Bug#: 155901 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: tomk@gentoo.org
Component: Vulnerabilities
URL:  http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html
Summary: app-arch/tar symlink directory traversal? (CVE-2006-6097)
Keywords:  
Status Whiteboard: A2? [glsa+] jaervosz
Opened: 2006-11-21 16:36 0000
Description:   Opened: 2006-11-21 16:36 0000 
It's possible to create symlinks to arbitrary locations on the filesystem
within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in
the FD post specified.

Also this has been verified by a Gentoo user here: http://sheepy.org/node/23

For all intents and purposes you can can s/rootdo/sudo/g in that report (He's
got some crazy scripts seeing as he's a veteran Gentoo user :) I've also
verified this exploit locally.

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-11-21 23:07:09 0000 ------- 
Base system please advise.

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-11-24 11:44:15 0000 ------- 
Proposed fix is here:

https://savannah.gnu.org/bugs/download.php?file_id=11327

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-11-24 11:45:39 0000 ------- 
And upstream bug: https://savannah.gnu.org/bugs/index.php?18355

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-11-28 01:39:14 0000 ------- 
mhh this is evil, tricking somebody into extracting a tar file is easy.

please bump

------- Comment #5 From Jakub Moc (RETIRED) 2006-11-29 00:38:32 0000 ------- 
*** Bug 156578 has been marked as a duplicate of this bug. ***

------- Comment #6 From Stefan Cornelius (RETIRED) 2006-11-30 11:26:40 0000 ------- 
base-system, we are behind schedule, please bump!

------- Comment #7 From SpanKY 2006-12-02 14:59:58 0000 ------- 
cry me a river

1.16-r2 is in portage with the change that actually went into upstream cvs

------- Comment #8 From Stefan Cornelius (RETIRED) 2006-12-03 03:56:55 0000 ------- 
arch teams, please test and stable 1.16-r2

------- Comment #9 From Andrej Kacian (RETIRED) 2006-12-03 07:12:56 0000 ------- 
x86 done

------- Comment #10 From Tobias Scherbaum 2006-12-03 10:33:05 0000 ------- 
ppc stable

------- Comment #11 From Jason Wever (RETIRED) 2006-12-03 11:33:56 0000 ------- 
And you, SPARC'd me all night long....

------- Comment #12 From Jeroen Roovers 2006-12-03 14:29:00 0000 ------- 
Stable for HPPA.

------- Comment #13 From Markus Rothe 2006-12-06 00:19:35 0000 ------- 
ppc64 stable

------- Comment #14 From Alexander Færøy 2006-12-06 13:06:05 0000 ------- 
Stable on MIPS.

------- Comment #15 From Alexander Færøy 2006-12-06 13:35:18 0000 ------- 
Argh, forgot Alpha. Alpha is stable too.

------- Comment #16 From Daniel Gryniewicz 2006-12-08 10:41:28 0000 ------- 
amd64 done, sorry for the delay.

------- Comment #17 From Matthias Geerdsen 2006-12-11 13:56:53 0000 ------- 
GLSA 200612-10

thanks everyone