Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155901 - app-arch/tar symlink directory traversal? (CVE-2006-6097)
Summary: app-arch/tar symlink directory traversal? (CVE-2006-6097)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://lists.grok.org.uk/pipermail/fu...
Whiteboard: A2? [glsa+] jaervosz
Keywords:
: 156578 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-11-21 16:36 UTC by Tom Knight (RETIRED)
Modified: 2007-02-11 10:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Knight (RETIRED) gentoo-dev 2006-11-21 16:36:19 UTC
It's possible to create symlinks to arbitrary locations on the filesystem within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in the FD post specified.

Also this has been verified by a Gentoo user here: http://sheepy.org/node/23

For all intents and purposes you can can s/rootdo/sudo/g in that report (He's got some crazy scripts seeing as he's a veteran Gentoo user :) I've also verified this exploit locally.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-21 23:07:09 UTC
Base system please advise.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-24 11:44:15 UTC
Proposed fix is here:

https://savannah.gnu.org/bugs/download.php?file_id=11327
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-24 11:45:39 UTC
And upstream bug: https://savannah.gnu.org/bugs/index.php?18355
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-28 01:39:14 UTC
mhh this is evil, tricking somebody into extracting a tar file is easy.

please bump
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2006-11-29 00:38:32 UTC
*** Bug 156578 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-30 11:26:40 UTC
base-system, we are behind schedule, please bump!
Comment 7 SpanKY gentoo-dev 2006-12-02 14:59:58 UTC
cry me a river

1.16-r2 is in portage with the change that actually went into upstream cvs
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-03 03:56:55 UTC
arch teams, please test and stable 1.16-r2
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2006-12-03 07:12:56 UTC
x86 done
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-03 10:33:05 UTC
ppc stable
Comment 11 Jason Wever (RETIRED) gentoo-dev 2006-12-03 11:33:56 UTC
And you, SPARC'd me all night long....
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2006-12-03 14:29:00 UTC
Stable for HPPA.
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2006-12-06 00:19:35 UTC
ppc64 stable
Comment 14 Alexander Færøy 2006-12-06 13:06:05 UTC
Stable on MIPS.
Comment 15 Alexander Færøy 2006-12-06 13:35:18 UTC
Argh, forgot Alpha. Alpha is stable too.
Comment 16 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-12-08 10:41:28 UTC
amd64 done, sorry for the delay.
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-11 13:56:53 UTC
GLSA 200612-10

thanks everyone