Other IDs this deficiency may be known by:
|Date Last Modified
Version Specific Information:
|Cucumber 1.0 i686||fixed in perl-5.22.4-i686-6 |
|Cucumber 1.0 x86_64||fixed in perl-5.22.4-x86_64-6 |
|Cucumber 1.1 i686
||fixed in perl-5.26.2-i686-2 |
|Cucumber 1.1 x86_64
||fixed in perl-5.26.2-x86_64-2 |
=================================== Overview ===================================
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to
bypass a directory-traversal protection mechanism, and overwrite arbitrary
files, via an archive file containing a symlink and a regular file with the
================================ Initial Report ================================
By default, the Archive::Tar module doesn't allow extracting files
outside the current working directory. However, you can bypass this
secure extraction mode easily by putting a symlink and a regular file
with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create
/tmp/moo, regardless of what the current working directory is:
$ tar -tvvf traversal.tar.gz
lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
-rw-r--r-- root/root 4 2018-06-05 18:55 moo
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
$ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
$ ls /tmp/moo
================================= Our Analysis =================================
----- Affected Products -----
Perl 5.26.2 (as originally packaged in Cucumber Linux 1.1) and Perl 5.22.1 (as
originally packged in Cucumber Linux 1.0) are both vulnerable.
----- Scope and Impact of this Vulnerability -----
Allows for a directory traversal when extracting a maliciously crafted tar
archive using Archive::Tar, which can result in overwriting an arbitrary file.
----- Testing if you are Affected -----
To test if you are affected:
1. Download the following tar archive and save it to a directory that IS NOT
2. Extract it by running the following command:
perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
If the file /tmp/moo is created containg the contents 'moo', then Perl is
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.