Bug 1189409 – VUL-0: CVE-2021-38511: rust,rust1.43,rust1.53: An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.

Bug 1189409 - (CVE-2021-38511) VUL-0: CVE-2021-38511: rust,rust1.43,rust1.53: An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.

(CVE-2021-38511)
Summary:	VUL-0: CVE-2021-38511: rust,rust1.43,rust1.53: An issue was discovered in the...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	William Brown
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/306233/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-38511:5.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-08-12 15:45 UTC by Gianluca Gabrielli
Modified:	2022-09-21 15:25 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-08-12 15:45:37 UTC

An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks
are present in a TAR archive, extraction can create arbitrary directories via ..
traversal.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38511
http://www.cvedetails.com/cve/CVE-2021-38511/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38511
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md
https://rustsec.org/advisories/RUSTSEC-2021-0080.html

Comment 1 Gianluca Gabrielli 2021-08-12 15:51:43 UTC

Affected packages:

 - SUSE:SLE-15:Update/rust
 - SUSE:SLE-15-SP1:Updaterust
 - SUSE:SLE-15-SP3:Update/rust1.43
 - SUSE:SLE-15-SP3:Update/rust1.53
 - openSUSE:Factory/rust1.53
 - openSUSE:Factory/rust1.54

The vulnerable package is located in the vendor/tar/ folder.

Comment 4 William Brown 2022-08-11 02:22:39 UTC

It was assigned to the wrong person.


- the following pkgs need SECURITY updates to address RUSTSEC-2021-0080 - manual, missing cargo_vendor
osc bco Base:System/dracut

This can be assigned to the dracut maintainers as it appears to be the only package with the issue.

Comment 13 William Brown 2022-08-26 03:26:17 UTC

After discussing with Gianluca, we have resolved these issues as they only affect OBS, not IBS packages, and all the necessary updates to OBS have been submitted.

Comment 14 Gianluca Gabrielli 2022-08-26 07:49:20 UTC

Correct.

I still have a question about the following packages that are still flagged as affected in our tracker. Can you share your feedback or submit patches?

 - SUSE:SLE-15:Update/rust
 - SUSE:SLE-15-SP1:Updaterust

Comment 15 William Brown 2022-08-29 01:19:42 UTC

(In reply to Gianluca Gabrielli from comment #14)
> Correct.
> 
> I still have a question about the following packages that are still flagged
> as affected in our tracker. Can you share your feedback or submit patches?
> 
>  - SUSE:SLE-15:Update/rust
>  - SUSE:SLE-15-SP1:Updaterust

I think the issue is that these CVE's are flagged against *rust* the complier tool chain, and not *packages that depend on rust*. Which really makes this tracking situation much harder as a result. I think this actually speaks to us needing to change our process, where we have a "meta-package" or something we tag against (cargo-packaging maybe?) to track "vulns in crates that are vendored" vs "vulns in rust's compiler itself".

Comment 16 Marcus Meissner 2022-09-21 15:25:18 UTC

So, I did a script and these are the current tar crate users:

openSUSE:Factory,aws-nitro-enclaves-cli,tar,0.4.38
openSUSE:Factory,cargo-c,tar,0.4.38
openSUSE:Factory,deno,tar,0.4.38
openSUSE:Factory,juliaup,tar,0.4.38
openSUSE:Factory,pijul,tar,0.4.38
openSUSE:Factory,python-maturin,tar,0.4.38
openSUSE:Factory,rage-encryption,tar,0.4.38
openSUSE:Factory,rustup,tar,0.4.38
openSUSE:Factory,sccache,tar,0.4.38
openSUSE:Factory,wasm-pack,tar,0.4.38
openSUSE:Factory,wezterm,tar,0.4.38
openSUSE:Factory,zola,tar,0.4.38
SUSE:SLE-15-SP3:Update,rustup,tar,0.4.37
SUSE:SLE-15-SP3:Update,sccache,tar,0.4.37
SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tar,0.4.38
SUSE:SLE-15-SP4:Update,cargo-c,tar,0.4.38
SUSE:SLE-15-SP4:Update,rustup,tar,0.4.37
SUSE:SLE-15-SP4:Update,sccache,tar,0.4.37

As far as I see all are higher than 0.4.36 at this time.