CLD-424 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
perl |
| Deficiency Type |
SECURITY |
| Date Created |
2018-06-07 12:11:19 |
| Date Last Modified |
2018-06-09 10:02:16 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in perl-5.22.4-i686-6 |
| Cucumber 1.0 x86_64 | fixed in perl-5.22.4-x86_64-6 |
| Cucumber 1.1 i686 |
fixed in perl-5.26.2-i686-2 |
| Cucumber 1.1 x86_64 |
fixed in perl-5.26.2-x86_64-2 |
Details:
=================================== Overview ===================================
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to
bypass a directory-traversal protection mechanism, and overwrite arbitrary
files, via an archive file containing a symlink and a regular file with the
same name.
================================ Initial Report ================================
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834:
Source: perl
Version: 5.26.2-5
Tags: security
By default, the Archive::Tar module doesn't allow extracting files
outside the current working directory. However, you can bypass this
secure extraction mode easily by putting a symlink and a regular file
with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create
/tmp/moo, regardless of what the current working directory is:
$ tar -tvvf traversal.tar.gz
lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
-rw-r--r-- root/root 4 2018-06-05 18:55 moo
$ pwd
/home/jwilk
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
$ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
$ ls /tmp/moo
/tmp/moo
--
Jakub Wilk
================================= Our Analysis =================================
----- Affected Products -----
Perl 5.26.2 (as originally packaged in Cucumber Linux 1.1) and Perl 5.22.1 (as
originally packged in Cucumber Linux 1.0) are both vulnerable.
----- Scope and Impact of this Vulnerability -----
Allows for a directory traversal when extracting a maliciously crafted tar
archive using Archive::Tar, which can result in overwriting an arbitrary file.
----- Testing if you are Affected -----
To test if you are affected:
1. Download the following tar archive and save it to a directory that IS NOT
/tmp:
https://cucumberlinux.com/~scott/vulnerabilities/CVE-2018-12015/traversal.tar.gz
2. Extract it by running the following command:
perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
If the file /tmp/moo is created containg the contents 'moo', then Perl is
vulnerable.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5.
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.