First Last Prev Next    This bug is not in your last search results.
Bug 951562 - (CVE-2011-5325) VUL-1: CVE-2011-5325: busybox: tar directory traversal
(CVE-2011-5325)
VUL-1: CVE-2011-5325: busybox: tar directory traversal
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Ihno Krumreich
Security Team bot
https://smash.suse.de/issue/158040/
CVSSv2:SUSE:CVE-2011-5325:6.9:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-22 09:16 UTC by Andreas Stieger
Modified: 2022-11-28 14:32 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Patch for busybox 1.22.0 v3 (4.39 KB, patch)
2015-11-05 16:53 UTC, Andreas Stieger 		Details | Diff
Patch for busybox 1.22.0 v5 (4.44 KB, patch)
2015-11-10 13:07 UTC, Andreas Stieger 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-22 09:16:06 UTC 
The BusyBox implementation of tar will extract a symlink that
points outside of the current working directory and then follow that
symlink when extracting other files. This allows for a directory
traversal attack when extracting untrusted tarballs.

This behavior was documented in the BusyBox source with the following
2011 commit:

http://git.busybox.net/busybox/commit/?id=a116552869db5e7793ae10968eb3c962c69b3d8c
http://git.busybox.net/busybox/tree/archival/tar.c#n25

> TODO: security with -C DESTDIR option can be enhanced.
> Consider tar file created via:
> $ tar cvf bug.tar anything.txt
> $ ln -s /tmp symlink
> $ tar --append -f bug.tar symlink
> $ rm symlink
> $ mkdir symlink
> $ tar --append -f bug.tar symlink/evil.py
> 
> This will result in an archive which contains:
> $ tar --list -f bug.tar
> anything.txt
> symlink
> symlink/evil.py
> 
> Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
> This doesn't feel right, and IIRC GNU tar doesn't do that.

The above should be our reproducer.

Upstream bug report:
https://bugs.busybox.net/8411

Somewhat in the same area of bsc#914660

Rated at CVSSv2 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) for now.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5325
http://seclists.org/oss-sec/2015/q4/121
http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5325.html
Comment 1 Andreas Stieger 2015-10-22 09:33:08 UTC 
No upstream patch seems to be available now. Monitoring.
Comment 2 Andreas Stieger 2015-11-05 16:53:23 UTC 
Created attachment 654839 [details]
Patch for busybox 1.22.0 v3

patch from https://bugs.busybox.net/show_bug.cgi?id=8411#c4
Comment 3 Andreas Stieger 2015-11-10 13:07:55 UTC 
Created attachment 655374 [details]
Patch for busybox 1.22.0 v5

Patch still not final final upstream.

Demonstrator tarball is at
https://bugs.busybox.net/show_bug.cgi?id=8411#c12
https://bugs.busybox.net/attachment.cgi?id=6216
Comment 6 Swamp Workflow Management 2021-10-27 13:30:07 UTC 
openSUSE-SU-2021:3531-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1099260,1099263,1121426,1184522,951562
CVE References: CVE-2011-5325,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2021-28831
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
Comment 7 Swamp Workflow Management 2021-10-27 13:33:58 UTC 
SUSE-SU-2021:3531-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1099260,1099263,1121426,1184522,951562
CVE References: CVE-2011-5325,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2021-28831
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise Server for SAP 15 (src):    busybox-1.26.2-4.5.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise Server 15-LTSS (src):    busybox-1.26.2-4.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    busybox-1.26.2-4.5.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    busybox-1.26.2-4.5.1
SUSE Enterprise Storage 6 (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1
SUSE CaaS Platform 4.0 (src):    busybox-1.26.2-4.5.1, busybox-static-1.26.2-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-10-31 20:36:21 UTC 
openSUSE-SU-2021:1408-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1099260,1099263,1121426,1184522,951562
CVE References: CVE-2011-5325,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2021-28831
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    busybox-1.26.2-lp152.5.3.1, busybox-static-1.26.2-lp152.5.3.1
Comment 11 Swamp Workflow Management 2022-01-20 14:20:17 UTC 
openSUSE-SU-2022:0135-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1064976,1064978,1069412,1099260,1099263,1102912,1121426,1121428,1184522,1192869,951562,970662,970663,991940
CVE References: CVE-2011-5325,CVE-2015-9261,CVE-2016-2147,CVE-2016-2148,CVE-2016-6301,CVE-2017-15873,CVE-2017-15874,CVE-2017-16544,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2019-5747,CVE-2021-28831,CVE-2021-42373,CVE-2021-42374,CVE-2021-42375,CVE-2021-42376,CVE-2021-42377,CVE-2021-42378,CVE-2021-42379,CVE-2021-42380,CVE-2021-42381,CVE-2021-42382,CVE-2021-42383,CVE-2021-42384,CVE-2021-42385,CVE-2021-42386
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    busybox-1.34.1-4.9.1
Comment 12 Swamp Workflow Management 2022-01-20 14:24:57 UTC 
SUSE-SU-2022:0135-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1064976,1064978,1069412,1099260,1099263,1102912,1121426,1121428,1184522,1192869,951562,970662,970663,991940
CVE References: CVE-2011-5325,CVE-2015-9261,CVE-2016-2147,CVE-2016-2148,CVE-2016-6301,CVE-2017-15873,CVE-2017-15874,CVE-2017-16544,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2019-5747,CVE-2021-28831,CVE-2021-42373,CVE-2021-42374,CVE-2021-42375,CVE-2021-42376,CVE-2021-42377,CVE-2021-42378,CVE-2021-42379,CVE-2021-42380,CVE-2021-42381,CVE-2021-42382,CVE-2021-42383,CVE-2021-42384,CVE-2021-42385,CVE-2021-42386
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    busybox-1.34.1-4.9.1
SUSE Manager Retail Branch Server 4.1 (src):    busybox-1.34.1-4.9.1
SUSE Manager Proxy 4.1 (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server for SAP 15 (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Server 15-LTSS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    busybox-1.34.1-4.9.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    busybox-1.34.1-4.9.1
SUSE Enterprise Storage 7 (src):    busybox-1.34.1-4.9.1
SUSE Enterprise Storage 6 (src):    busybox-1.34.1-4.9.1
SUSE CaaS Platform 4.0 (src):    busybox-1.34.1-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-02-14 14:23:55 UTC 
SUSE-SU-2022:0135-2: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1064976,1064978,1069412,1099260,1099263,1102912,1121426,1121428,1184522,1192869,951562,970662,970663,991940
CVE References: CVE-2011-5325,CVE-2015-9261,CVE-2016-2147,CVE-2016-2148,CVE-2016-6301,CVE-2017-15873,CVE-2017-15874,CVE-2017-16544,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2019-5747,CVE-2021-28831,CVE-2021-42373,CVE-2021-42374,CVE-2021-42375,CVE-2021-42376,CVE-2021-42377,CVE-2021-42378,CVE-2021-42379,CVE-2021-42380,CVE-2021-42381,CVE-2021-42382,CVE-2021-42383,CVE-2021-42384,CVE-2021-42385,CVE-2021-42386
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    busybox-1.34.1-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-05-18 13:19:29 UTC 
openSUSE-SU-2022:0135-1: An update that fixes 32 vulnerabilities is now available.

Category: security (important)
Bug References: 1064976,1064978,1069412,1099260,1099263,1102912,1121426,1121428,1184522,1192869,1198676,1198677,1198678,1198679,1198680,1198703,951562,970662,970663,991940
CVE References: CVE-2011-5325,CVE-2015-9261,CVE-2016-2147,CVE-2016-2148,CVE-2016-6301,CVE-2017-15873,CVE-2017-15874,CVE-2017-16544,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2019-5747,CVE-2021-28831,CVE-2021-42373,CVE-2021-42374,CVE-2021-42375,CVE-2021-42376,CVE-2021-42377,CVE-2021-42378,CVE-2021-42379,CVE-2021-42380,CVE-2021-42381,CVE-2021-42382,CVE-2021-42383,CVE-2021-42384,CVE-2021-42385,CVE-2021-42386,CVE-2022-21465,CVE-2022-21471,CVE-2022-21487,CVE-2022-21488,CVE-2022-21491
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    busybox-1.34.1-4.9.1, virtualbox-6.1.34-lp153.2.27.2, virtualbox-kmp-6.1.34-lp153.2.27.1
Comment 15 Swamp Workflow Management 2022-11-11 20:56:46 UTC 
SUSE-SU-2022:3959-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1064976,1064978,1069412,1099260,1099263,1102912,1121426,1121428,1184522,1192869,951562,970662,970663,991940
CVE References: CVE-2011-5325,CVE-2015-9261,CVE-2016-2147,CVE-2016-2148,CVE-2016-6301,CVE-2017-15873,CVE-2017-15874,CVE-2017-16544,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2019-5747,CVE-2021-28831,CVE-2021-42373,CVE-2021-42374,CVE-2021-42375,CVE-2021-42376,CVE-2021-42377,CVE-2021-42378,CVE-2021-42379,CVE-2021-42380,CVE-2021-42381,CVE-2021-42382,CVE-2021-42383,CVE-2021-42384,CVE-2021-42385,CVE-2021-42386
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    busybox-1.35.0-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    busybox-1.35.0-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-11-28 14:32:07 UTC 
SUSE-SU-2022:4253-1: An update that fixes 28 vulnerabilities is now available.

Category: security (important)
Bug References: 1029961,1064976,1064978,1069412,1099260,1099263,1102912,1121426,1121428,1184522,1191514,1192869,914660,951562,970662,970663,991940
CVE References: CVE-2011-5325,CVE-2014-9645,CVE-2015-9261,CVE-2016-2147,CVE-2016-2148,CVE-2016-6301,CVE-2017-15873,CVE-2017-15874,CVE-2017-16544,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2019-5747,CVE-2021-28831,CVE-2021-42373,CVE-2021-42374,CVE-2021-42375,CVE-2021-42376,CVE-2021-42377,CVE-2021-42378,CVE-2021-42379,CVE-2021-42380,CVE-2021-42381,CVE-2021-42382,CVE-2021-42383,CVE-2021-42384,CVE-2021-42385,CVE-2021-42386
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    busybox-1.35.0-4.3.1
SUSE OpenStack Cloud 9 (src):    busybox-1.35.0-4.3.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    busybox-1.35.0-4.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    busybox-1.35.0-4.3.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    busybox-1.35.0-4.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    busybox-1.35.0-4.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    busybox-1.35.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
First Last Prev Next    This bug is not in your last search results.