Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 155901

Summary: app-arch/tar symlink directory traversal? (CVE-2006-6097)
Product: Gentoo Security Reporter: Tom Knight (RETIRED) <tomk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: cornet, passnet
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html
Whiteboard: A2? [glsa+] jaervosz
Package list:
Runtime testing required: ---

Description Tom Knight (RETIRED) gentoo-dev 2006-11-21 16:36:19 UTC 
It's possible to create symlinks to arbitrary locations on the filesystem within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in the FD post specified.

Also this has been verified by a Gentoo user here: http://sheepy.org/node/23

For all intents and purposes you can can s/rootdo/sudo/g in that report (He's got some crazy scripts seeing as he's a veteran Gentoo user :) I've also verified this exploit locally.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-21 23:07:09 UTC 
Base system please advise.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 11:44:15 UTC 
Proposed fix is here:

https://savannah.gnu.org/bugs/download.php?file_id=11327
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 11:45:39 UTC 
And upstream bug: https://savannah.gnu.org/bugs/index.php?18355
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-28 01:39:14 UTC 
mhh this is evil, tricking somebody into extracting a tar file is easy.

please bump
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2006-11-29 00:38:32 UTC 
*** Bug 156578 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-30 11:26:40 UTC 
base-system, we are behind schedule, please bump!
Comment 7 SpanKY gentoo-dev 2006-12-02 14:59:58 UTC 
cry me a river

1.16-r2 is in portage with the change that actually went into upstream cvs
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-03 03:56:55 UTC 
arch teams, please test and stable 1.16-r2
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2006-12-03 07:12:56 UTC 
x86 done
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-03 10:33:05 UTC 
ppc stable
Comment 11 Jason Wever (RETIRED) gentoo-dev 2006-12-03 11:33:56 UTC 
And you, SPARC'd me all night long....
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2006-12-03 14:29:00 UTC 
Stable for HPPA.
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2006-12-06 00:19:35 UTC 
ppc64 stable
Comment 14 Alexander Færøy 2006-12-06 13:06:05 UTC 
Stable on MIPS.
Comment 15 Alexander Færøy 2006-12-06 13:35:18 UTC 
Argh, forgot Alpha. Alpha is stable too.
Comment 16 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-12-08 10:41:28 UTC 
amd64 done, sorry for the delay.
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-11 13:56:53 UTC 
GLSA 200612-10

thanks everyone