Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 189690 - app-arch/star: Directory traversal vulnerability (CVE-2007-4134)
Summary: app-arch/star: Directory traversal vulnerability (CVE-2007-4134)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4? [glsa]
Keywords:
Depends on: 185856
Blocks:
  Show dependency tree
 
Reported: 2007-08-21 10:37 UTC by Robert Buchholz (RETIRED)
Modified: 2007-10-22 22:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
star-traversal.diff (star-traversal.diff,340 bytes, patch)
2007-08-21 10:38 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
v.tar (v.tar,10.00 KB, application/octet-stream)
2007-08-21 10:40 UTC, Robert Buchholz (RETIRED)
no flags Details
star-1.5_alpha74-multiple-slashes.diff (star-1.5_alpha74-multiple-slashes.diff,278 bytes, patch)
2007-08-21 13:57 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
sparc64-emerge-info (sparc64-emerge-info,2.51 KB, text/plain)
2007-09-13 12:21 UTC, Jorge Manuel B. S. Vicetto
no flags Details
app-arch:star-1.5_alpha84:20070913-105036.log (app-arch:star-1.5_alpha84:20070913-105036.log,99.25 KB, text/plain)
2007-09-13 12:22 UTC, Jorge Manuel B. S. Vicetto
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 10:37:29 UTC
There is a  directory traversal vulnerability in star that can be exploited by files in an archive that contain "foo//..//.." as a filename. This is related to the vulnerability described in bug #189682.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 10:38:44 UTC
Created attachment 128754 [details, diff]
star-traversal.diff

Patch to fixing this.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 10:40:03 UTC
Created attachment 128756 [details]
v.tar

tar file to exploit this issue (creates a README file outside of the working dir)
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 13:57:52 UTC
Created attachment 128776 [details, diff]
star-1.5_alpha74-multiple-slashes.diff

Contacted upstream, this was the proposed patch.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-08-21 20:38:48 UTC
shell-tools please advise and patch as necessary.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-08-29 07:02:49 UTC
New upstream release AN-1.5a84 fixes this issue.
Comment 6 Wolfram Schlich (RETIRED) gentoo-dev 2007-09-06 08:22:58 UTC
still 1.5a84 is not in portage...
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2007-09-06 11:55:33 UTC
It crashes here. But I've contacted upstream and Joerg gave sent me some additional fixes. As soon as I test them, I'll bump.
Comment 8 Wolfram Schlich (RETIRED) gentoo-dev 2007-09-06 12:08:34 UTC
(In reply to comment #7)
> It crashes here. But I've contacted upstream and Joerg gave sent me some
> additional fixes. As soon as I test them, I'll bump.
> 

great, thanks :o)
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-08 21:45:37 UTC
Proposing B4 based on severity in bug 189682, setting whiteboard to waiting for ebuild
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2007-09-12 18:47:32 UTC
Finally ebuild is in the tree.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2007-09-12 19:05:05 UTC
Thanks Peter. Arches, please test and mark stable app-arch/star-1.5_alpha84.
Target keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
Comment 12 Markus Meier gentoo-dev 2007-09-12 20:36:39 UTC
x86 stable
Comment 13 Jeroen Roovers gentoo-dev 2007-09-13 03:42:55 UTC
Stable for HPPA.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-09-13 11:41:58 UTC
ppc64 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-09-13 11:46:04 UTC
alpha/ia64 stable
Comment 16 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2007-09-13 12:20:50 UTC
The emerge completes here on sparc64 with the following warnings:

RULES/rules1.top:239: incs/Dcc.sparc-linux: No such file or directory
RULES/rules.cnf:56: incs/sparc-linux-cc/Inull: No such file or directory
RULES/rules.cnf:57: incs/sparc-linux-cc/rules.cnf: No such file or directory

../RULES/rules.ins:27: warning: overriding commands for target `/usr/'
../RULES/rules.ins:22: warning: ignoring old commands for target `/usr/'
../RULES/rules.ins:30: warning: overriding commands for target `../bins/sparc-linux-cc'
../RULES/rules.ins:24: warning: ignoring old commands for target `../bins/sparc-linux-cc'

The package doesn't run any tests. I was able to create a simple .tar.bz2 file and to extract it.
Comment 17 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2007-09-13 12:21:58 UTC
Created attachment 130804 [details]
sparc64-emerge-info

emerge --info for sparc64
Comment 18 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2007-09-13 12:22:45 UTC
Created attachment 130806 [details]
app-arch:star-1.5_alpha84:20070913-105036.log

Complete emerge log for star-1.5_alpha84
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2007-09-13 13:19:36 UTC
Jorge, I suppose that similar warnings are on all archs and this is a feature/problem of SSPM ("Slottable Source Plugin Module" system). This should not stop/delay stabilization.
Comment 20 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-13 14:46:45 UTC
(In reply to comment #19)
> Jorge, I suppose that similar warnings are on all archs and this is a
> feature/problem of SSPM ("Slottable Source Plugin Module" system). This should
> not stop/delay stabilization.
> 

Then all is ready, sparc stable.
Thanks Jorge for the testing and Peter for the note.
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-15 08:20:59 UTC
ppc stable
Comment 22 Christoph Mende (RETIRED) gentoo-dev 2007-09-16 13:52:02 UTC
amd64 stable
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2007-09-16 14:18:11 UTC
All but mips stable, next is glsa decision.
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-24 16:27:41 UTC
I tend to vote NO.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-25 09:33:30 UTC
I vote NO.
Comment 26 Joshua Kinard gentoo-dev 2007-09-28 02:37:45 UTC
mips stable.
Comment 27 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-02 21:26:41 UTC
we already sent a GLSA for such an issue in the near past (bug #189682 and GLSA 200709-09), and i would send a GLSA here too. I vote yes.
Comment 28 Matt Drew (RETIRED) gentoo-dev 2007-10-11 21:17:21 UTC
I vote yes, because the reasoning is the same as the previous tar vulnerability.

GLSA request filed.
Comment 29 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-14 07:45:08 UTC
star is not as widely used as tar that was why I voted NO (rating A4 vs B4).
Comment 30 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-22 22:28:15 UTC
glsa 200710-08, thanks everybody
Comment 31 Robert Buchholz (RETIRED) gentoo-dev 2007-10-22 22:35:40 UTC
(In reply to comment #30)
> glsa 200710-08, thanks everybody

Uhh... I'd call it GLSA 200710-23.