Bug 657968 (CVE-2018-12015)

Summary:	dev-lang/perl: Directory traversal in Archive::Tar (CVE-2018-12015)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	bugs, nobrowser, perl
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [cve noglsa]
Package list:	virtual/perl-Archive-Tar-2.300.0-r1 perl-core/Archive-Tar-2.300.0	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-06-12 11:18:08 UTC

CVE-2018-12015 (https://nvd.nist.gov/vuln/detail/CVE-2018-12015):
  In Perl through 5.26.2, the Archive::Tar module allows remote attackers to
  bypass a directory-traversal protection mechanism, and overwrite arbitrary
  files, via an archive file containing a symlink and a regular file with the
  same name.

Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2018-06-16 04:36:58 UTC

*** Bug 657778 has been marked as a duplicate of this bug. ***

Comment 2 Larry the Git Cow gentoo-dev

2018-07-06 02:42:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99fda8ae7b10c15df793d4080339f59ea169acd8

commit 99fda8ae7b10c15df793d4080339f59ea169acd8
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2018-07-06 01:44:07 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2018-07-06 01:44:32 +0000

    dev-lang/perl: Bump 5.28.9999 to 5.28.0 Final
    
    - Still fails tests due to bug #645084
    
    Upstream:
    - Now includes Archive-Tar 2.280.0 for CVE-2018-12015 (Bug #657968)
    
    Bug: https://bugs.gentoo.org/645084
    Bug: https://bugs.gentoo.org/657968
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-lang/perl/Manifest              | 2 +-
 dev-lang/perl/perl-5.28.9999.ebuild | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2018-07-06 06:03:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b847f7f94bcfc09435a9cf08c00d842d09171f22

commit b847f7f94bcfc09435a9cf08c00d842d09171f22
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2018-07-06 05:59:21 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2018-07-06 05:59:38 +0000

    virtual/perl-Archive-Tar: Bump to 2.300.0 for CVE-2018-12015 bug #657968
    
    This pulls perl-core/Archive-Tar for everyone currently on ~arch, and
    will likely be stabilized before/with dev-lang/perl-5.26.2
    
    Bug: https://bugs.gentoo.org/657968
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 virtual/perl-Archive-Tar/perl-Archive-Tar-2.300.0.ebuild | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Comment 4 Andreas K. Hüttel archtester

2019-04-07 13:48:51 UTC

This somehow was missed. 

All arches, please stabilize

virtual/perl-Archive-Tar-2.300.0-r1
perl-core/Archive-Tar-2.300.0

Comment 5 Agostino Sarubbo gentoo-dev

2019-04-07 14:44:35 UTC

amd64 stable

Comment 6 Mikle Kolyada (RETIRED) archtester

2019-04-07 21:50:51 UTC

s390 stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-08 02:20:08 UTC

x86 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2019-04-08 06:42:18 UTC

alpha stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-08 07:24:47 UTC

hppa stable

Comment 10 Mart Raudsepp gentoo-dev

2019-04-08 11:17:17 UTC

arm64 stable

Comment 11 Mikle Kolyada (RETIRED) archtester

2019-04-08 18:56:09 UTC

arm stable

Comment 12 Rolf Eike Beer archtester

2019-04-11 05:21:34 UTC

sparc stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-27 16:32:17 UTC

ia64 stable

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-27 16:36:37 UTC

ppc64 stable

Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-27 16:52:44 UTC

ppc stable

Comment 16 Andreas K. Hüttel archtester

2019-05-11 16:19:02 UTC

All security-supported arches done.

Comment 17 Andreas K. Hüttel archtester

2019-08-30 21:18:36 UTC

@security please proceed

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 22:11:43 UTC

GLSA Vote: No!

Repository is clean, all done!