Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 657968 (CVE-2018-12015) - dev-lang/perl: Directory traversal in Archive::Tar (CVE-2018-12015)
Summary: dev-lang/perl: Directory traversal in Archive::Tar (CVE-2018-12015)
Status: IN_PROGRESS
Alias: CVE-2018-12015
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [cve glsa?]
Keywords: STABLEREQ
: 657778 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-06-12 11:18 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-30 21:18 UTC (History)
5 users (show)

See Also:
Package list:
virtual/perl-Archive-Tar-2.300.0-r1 perl-core/Archive-Tar-2.300.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-06-12 11:18:08 UTC
CVE-2018-12015 (https://nvd.nist.gov/vuln/detail/CVE-2018-12015):
  In Perl through 5.26.2, the Archive::Tar module allows remote attackers to
  bypass a directory-traversal protection mechanism, and overwrite arbitrary
  files, via an archive file containing a symlink and a regular file with the
  same name.
Comment 1 Kent Fredric (IRC: kent\n) gentoo-dev 2018-06-16 04:36:58 UTC
*** Bug 657778 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2018-07-06 02:42:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99fda8ae7b10c15df793d4080339f59ea169acd8

commit 99fda8ae7b10c15df793d4080339f59ea169acd8
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2018-07-06 01:44:07 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2018-07-06 01:44:32 +0000

    dev-lang/perl: Bump 5.28.9999 to 5.28.0 Final
    
    - Still fails tests due to bug #645084
    
    Upstream:
    - Now includes Archive-Tar 2.280.0 for CVE-2018-12015 (Bug #657968)
    
    Bug: https://bugs.gentoo.org/645084
    Bug: https://bugs.gentoo.org/657968
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-lang/perl/Manifest              | 2 +-
 dev-lang/perl/perl-5.28.9999.ebuild | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2018-07-06 06:03:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b847f7f94bcfc09435a9cf08c00d842d09171f22

commit b847f7f94bcfc09435a9cf08c00d842d09171f22
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2018-07-06 05:59:21 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2018-07-06 05:59:38 +0000

    virtual/perl-Archive-Tar: Bump to 2.300.0 for CVE-2018-12015 bug #657968
    
    This pulls perl-core/Archive-Tar for everyone currently on ~arch, and
    will likely be stabilized before/with dev-lang/perl-5.26.2
    
    Bug: https://bugs.gentoo.org/657968
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 virtual/perl-Archive-Tar/perl-Archive-Tar-2.300.0.ebuild | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
Comment 4 Andreas K. Hüttel gentoo-dev 2019-04-07 13:48:51 UTC
This somehow was missed. 

All arches, please stabilize

virtual/perl-Archive-Tar-2.300.0-r1
perl-core/Archive-Tar-2.300.0
Comment 5 Agostino Sarubbo gentoo-dev 2019-04-07 14:44:35 UTC
amd64 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:50:51 UTC
s390 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2019-04-08 02:20:08 UTC
x86 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:42:18 UTC
alpha stable
Comment 9 Sergei Trofimovich gentoo-dev 2019-04-08 07:24:47 UTC
hppa stable
Comment 10 Mart Raudsepp gentoo-dev 2019-04-08 11:17:17 UTC
arm64 stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 18:56:09 UTC
arm stable
Comment 12 Rolf Eike Beer 2019-04-11 05:21:34 UTC
sparc stable
Comment 13 Sergei Trofimovich gentoo-dev 2019-04-27 16:32:17 UTC
ia64 stable
Comment 14 Sergei Trofimovich gentoo-dev 2019-04-27 16:36:37 UTC
ppc64 stable
Comment 15 Sergei Trofimovich gentoo-dev 2019-04-27 16:52:44 UTC
ppc stable
Comment 16 Andreas K. Hüttel gentoo-dev 2019-05-11 16:19:02 UTC
All security-supported arches done.
Comment 17 Andreas K. Hüttel gentoo-dev 2019-08-30 21:18:36 UTC
@security please proceed