Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 192989 - perl-core/Archive-Tar < 1.40 Directory traversal flaws (CVE-2007-4829)
Summary: perl-core/Archive-Tar < 1.40 Directory traversal flaws (CVE-2007-4829)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-18 23:37 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-03 06:58 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 23:37:22 UTC
According to RedHat:
  Directory traversal vulnerability in Archive::Tar perl module allows
  user-assisted remote attackers to overwrite arbitrary files writable
  by user running application using this module via an absolute path or
  a .. (dot dot) sequence in filenames in a TAR archive.

  Similar issues were reported and fixed for GNU tar during past several
  years, e.g.: CVE-2001-1267, CVE-2002-0399, CVE-2002-1216 and CVE-2007-4131.

  This issue is important when this module is used to extract tar archives
  from untrusted sources.  However, some of such applications either
  implement workarounds / own checks (sa-update in spamassassin) or
  dropped module support at all (amavisd-new).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 23:37:52 UTC
Whiteboard.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-08 13:28:18 UTC
cc'ing maintainers for information. upstream bug is here:

http://rt.cpan.org/Public/Bug/Display.html?id=29517

Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-17 18:35:02 UTC
Perl any news on this one?
Comment 4 Christian Hartmann (RETIRED) gentoo-dev 2007-10-18 06:31:49 UTC
Still waiting for upstream patch/fix.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-13 01:32:14 UTC
Allegedly be fixed in the not yet mirrored
  http://search.cpan.org/~kane/Archive-Tar-1.37_01/
Comment 6 Christian Hartmann (RETIRED) gentoo-dev 2007-11-19 11:16:29 UTC
Still waiting for the final.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 21:00:21 UTC
1.38 is out. Please bump.
Comment 8 İsmail Dönmez 2007-12-30 21:19:11 UTC
(In reply to comment #7)
> 1.38 is out. Please bump.

Well, according to http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-385889 , v1.38 is still vulnerable in some other way.
Comment 9 Torsten Veller (RETIRED) gentoo-dev 2008-04-23 10:21:02 UTC
Archive-Tar-1.38 is in the tree for some time.

Please have a look at the discussion linked in comment #8.
Comment 10 Torsten Veller (RETIRED) gentoo-dev 2008-10-20 17:47:31 UTC
dev-perl/Archive-Tar-1.40 is in the tree now.

KEYWORDS were dropped because of new dependencies:
* perl-core/Package-Constants
* dev-perl/IO-Compress-Bzip2
* dev-perl/Compress-Raw-Bzip2

KEYWORDS="alpha amd64 ~arm hppa ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-20 18:10:40 UTC
Thanks tove.

Arches, please test and mark stable / re-keyword
  =dev-perl/Archive-Tar-1.40

along with its new dependencies:
  =perl-core/Package-Constants-0.01
  =dev-perl/IO-Compress-Bzip2-2.015
  =dev-perl/Compress-Raw-Bzip2-2.015

Targets:
  Stable: alpha amd64 hppa ia64 sparc x86
  Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd
Comment 12 Torsten Veller (RETIRED) gentoo-dev 2008-10-20 19:06:30 UTC
(In reply to comment #11)
> Arches, please test and mark stable / re-keyword
>   =dev-perl/Archive-Tar-1.40
> 
> along with its new dependencies:
>   =perl-core/Package-Constants-0.01
>   =dev-perl/IO-Compress-Bzip2-2.015
>   =dev-perl/Compress-Raw-Bzip2-2.015
  and also (need a matching PV):
    =dev-perl/IO-Compress-Zlib-2.015
    =dev-perl/Compress-Raw-Zlib-2.015
    =dev-perl/IO-Compress-Base-2.015
    =dev-perl/Compress-Zlib-2.015
> 
> Targets:
>   Stable: alpha amd64 hppa ia64 sparc x86
>   Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd
Comment 13 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-20 23:12:55 UTC
sparc stable
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-21 16:02:25 UTC
amd64 stable, Archive-Tar and its dependencies all pass their tests.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2008-10-21 17:15:16 UTC
ppc64 stable
Comment 16 Guy Martin (RETIRED) gentoo-dev 2008-10-22 20:05:24 UTC
hppa stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2008-10-23 11:37:12 UTC
alpha/ia64/x86 stable
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 18:19:54 UTC
ppc stable
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-23 21:13:25 UTC
Ready for vote, I vote YES.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:55:32 UTC
tar and star got their GLSA as well back then, so YES.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-12-10 16:54:50 UTC
GLSA 200812-10