CLD-424 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-12015 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2018-06-07 12:11:19
Date Last Modified 2018-06-09 10:02:16

Version Specific Information:

Cucumber 1.0 i686fixed in perl-5.22.4-i686-6
Cucumber 1.0 x86_64fixed in perl-5.22.4-x86_64-6

Cucumber 1.1 i686 fixed in perl-5.26.2-i686-2
Cucumber 1.1 x86_64 fixed in perl-5.26.2-x86_64-2


=================================== Overview ===================================

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to
bypass a directory-traversal protection mechanism, and overwrite arbitrary
files, via an archive file containing a symlink and a regular file with the
same name. 

================================ Initial Report ================================


Source: perl
Version: 5.26.2-5
Tags: security

By default, the Archive::Tar module doesn't allow extracting files 
outside the current working directory. However, you can bypass this 
secure extraction mode easily by putting a symlink and a regular file 
with the same name into the tarball.

I've attached proof of concept tarball, which makes Archive::Tar create 
/tmp/moo, regardless of what the current working directory is:

  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root         0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root         4 2018-06-05 18:55 moo

  $ pwd

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo

Jakub Wilk

================================= Our Analysis =================================

----- Affected Products -----
Perl 5.26.2 (as originally packaged in Cucumber Linux 1.1) and Perl 5.22.1 (as
originally packged in Cucumber Linux 1.0) are both vulnerable.

----- Scope and Impact of this Vulnerability -----
Allows for a directory traversal when extracting a maliciously crafted tar
archive using Archive::Tar, which can result in overwriting an arbitrary file.

----- Testing if you are Affected -----
To test if you are affected:
  1. Download the following tar archive and save it to a directory that IS NOT
  2. Extract it by running the following command:
     perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

If the file /tmp/moo is created containg the contents 'moo', then Perl is

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.