155901 – app-arch/tar symlink directory traversal? (CVE-2006-6097)

Bug 155901 - app-arch/tar symlink directory traversal? (CVE-2006-6097)

Summary: app-arch/tar symlink directory traversal? (CVE-2006-6097)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://lists.grok.org.uk/pipermail/fu...
Whiteboard:	A2? [glsa+] jaervosz
Keywords:

Duplicates (1):	156578 (view as bug list)
Depends on:
Blocks:

Reported:	2006-11-21 16:36 UTC by Tom Knight (RETIRED)
Modified:	2007-02-11 10:24 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Knight (RETIRED) gentoo-dev

2006-11-21 16:36:19 UTC

It's possible to create symlinks to arbitrary locations on the filesystem within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in the FD post specified.

Also this has been verified by a Gentoo user here: http://sheepy.org/node/23

For all intents and purposes you can can s/rootdo/sudo/g in that report (He's got some crazy scripts seeing as he's a veteran Gentoo user :) I've also verified this exploit locally.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-21 23:07:09 UTC

Base system please advise.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-24 11:44:15 UTC

Proposed fix is here:

https://savannah.gnu.org/bugs/download.php?file_id=11327

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-24 11:45:39 UTC

And upstream bug: https://savannah.gnu.org/bugs/index.php?18355

Comment 4 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-28 01:39:14 UTC

mhh this is evil, tricking somebody into extracting a tar file is easy.

please bump

Comment 5 Jakub Moc (RETIRED) gentoo-dev

2006-11-29 00:38:32 UTC

*** Bug 156578 has been marked as a duplicate of this bug. ***

Comment 6 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-30 11:26:40 UTC

base-system, we are behind schedule, please bump!

Comment 7 SpanKY gentoo-dev

2006-12-02 14:59:58 UTC

cry me a river

1.16-r2 is in portage with the change that actually went into upstream cvs

Comment 8 Stefan Cornelius (RETIRED) gentoo-dev

2006-12-03 03:56:55 UTC

arch teams, please test and stable 1.16-r2

Comment 9 Andrej Kacian (RETIRED) gentoo-dev

2006-12-03 07:12:56 UTC

x86 done

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2006-12-03 10:33:05 UTC

ppc stable

Comment 11 Jason Wever (RETIRED) gentoo-dev

2006-12-03 11:33:56 UTC

And you, SPARC'd me all night long....

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2006-12-03 14:29:00 UTC

Stable for HPPA.

Comment 13 Markus Rothe (RETIRED) gentoo-dev

2006-12-06 00:19:35 UTC

ppc64 stable

Comment 14 Alexander Færøy 2006-12-06 13:06:05 UTC

Stable on MIPS.

Comment 15 Alexander Færøy 2006-12-06 13:35:18 UTC

Argh, forgot Alpha. Alpha is stable too.

Comment 16 Daniel Gryniewicz (RETIRED) gentoo-dev

2006-12-08 10:41:28 UTC

amd64 done, sorry for the delay.

Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev

2006-12-11 13:56:53 UTC

GLSA 200612-10

thanks everyone