| Summary: | app-arch/star: Directory traversal vulnerability (CVE-2007-4134) | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||
| Severity: | minor | CC: | shell-tools, wschlich | ||||||||||||
| Priority: | High | ||||||||||||||
| Version: | unspecified | ||||||||||||||
| Hardware: | All | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | B4? [glsa] | ||||||||||||||
| Package list: | Runtime testing required: | --- | |||||||||||||
| Bug Depends on: | 185856 | ||||||||||||||
| Bug Blocks: | |||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Robert Buchholz (RETIRED)
2007-08-21 10:37:29 UTC
Created attachment 128754 [details, diff]
star-traversal.diff
Patch to fixing this.
Created attachment 128756 [details]
v.tar
tar file to exploit this issue (creates a README file outside of the working dir)
Created attachment 128776 [details, diff]
star-1.5_alpha74-multiple-slashes.diff
Contacted upstream, this was the proposed patch.
shell-tools please advise and patch as necessary. New upstream release AN-1.5a84 fixes this issue. still 1.5a84 is not in portage... It crashes here. But I've contacted upstream and Joerg gave sent me some additional fixes. As soon as I test them, I'll bump. (In reply to comment #7) > It crashes here. But I've contacted upstream and Joerg gave sent me some > additional fixes. As soon as I test them, I'll bump. > great, thanks :o) Proposing B4 based on severity in bug 189682, setting whiteboard to waiting for ebuild Finally ebuild is in the tree. Thanks Peter. Arches, please test and mark stable app-arch/star-1.5_alpha84. Target keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86" x86 stable Stable for HPPA. ppc64 stable alpha/ia64 stable The emerge completes here on sparc64 with the following warnings: RULES/rules1.top:239: incs/Dcc.sparc-linux: No such file or directory RULES/rules.cnf:56: incs/sparc-linux-cc/Inull: No such file or directory RULES/rules.cnf:57: incs/sparc-linux-cc/rules.cnf: No such file or directory ../RULES/rules.ins:27: warning: overriding commands for target `/usr/' ../RULES/rules.ins:22: warning: ignoring old commands for target `/usr/' ../RULES/rules.ins:30: warning: overriding commands for target `../bins/sparc-linux-cc' ../RULES/rules.ins:24: warning: ignoring old commands for target `../bins/sparc-linux-cc' The package doesn't run any tests. I was able to create a simple .tar.bz2 file and to extract it. Created attachment 130804 [details]
sparc64-emerge-info
emerge --info for sparc64
Created attachment 130806 [details]
app-arch:star-1.5_alpha84:20070913-105036.log
Complete emerge log for star-1.5_alpha84
Jorge, I suppose that similar warnings are on all archs and this is a feature/problem of SSPM ("Slottable Source Plugin Module" system). This should not stop/delay stabilization.
(In reply to comment #19) > Jorge, I suppose that similar warnings are on all archs and this is a > feature/problem of SSPM ("Slottable Source Plugin Module" system). This should > not stop/delay stabilization. > Then all is ready, sparc stable. Thanks Jorge for the testing and Peter for the note. ppc stable amd64 stable All but mips stable, next is glsa decision. I tend to vote NO. I vote NO. mips stable. we already sent a GLSA for such an issue in the near past (bug #189682 and GLSA 200709-09), and i would send a GLSA here too. I vote yes. I vote yes, because the reasoning is the same as the previous tar vulnerability. GLSA request filed. star is not as widely used as tar that was why I voted NO (rating A4 vs B4). glsa 200710-08, thanks everybody (In reply to comment #30) > glsa 200710-08, thanks everybody Uhh... I'd call it GLSA 200710-23. |