https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Bug ID: 1588760 Summary: CVE-2018-12015 perl: Directory traversal in Archive::Tar Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: alexl@redhat.com, caillon+fedoraproject@gmail.com, iarnell@gmail.com, jplesnik@redhat.com, kasal@ucw.cz, mbarnes@fastmail.com, mmaslano@redhat.com, perl-devel@lists.fedoraproject.org, ppisar@redhat.com, psabata@redhat.com, rhughes@redhat.com, sandmann@redhat.com, tcallawa@redhat.com
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1588761
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created perl tracking bugs for this issue:
Affects: fedora-all [bug 1588761]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1588761 [Bug 1588761] CVE-2018-12015 perl: Directory traversal in Archive::Tar [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl=affected |rl=affected,rhel-5/perl=not | |affected,rhel-6/perl=notaff | |ected,rhel-7/perl=notaffect | |ed,rhel-8/perl=affected,rhs | |cl-3/rh-perl526-perl=affect | |ed,rhscl-3/rh-perl524-perl= | |affected,rhscl-3/rh-perl520 | |-perl=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hhorak@redhat.com, | |jorton@redhat.com, | |perl-maint-list@redhat.com Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl=affected,rhel-5/perl=not |rl=affected,rhel-5/perl=new |affected,rhel-6/perl=notaff |,rhel-6/perl=new,rhel-7/per |ected,rhel-7/perl=notaffect |l=new,rhel-8/perl=new,rhscl |ed,rhel-8/perl=affected,rhs |-3/rh-perl526-perl=new,rhsc |cl-3/rh-perl526-perl=affect |l-3/rh-perl524-perl=new,rhs |ed,rhscl-3/rh-perl524-perl= |cl-3/rh-perl520-perl=new |affected,rhscl-3/rh-perl520 | |-perl=wontfix |
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1588762
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |CPAN 125523
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl=affected,rhel-5/perl=new |rl=affected,rhel-5/perl=new |,rhel-6/perl=new,rhel-7/per |,rhel-6/perl=new,rhel-7/per |l=new,rhel-8/perl=new,rhscl |l=affected,rhel-8/perl=new, |-3/rh-perl526-perl=new,rhsc |rhscl-3/rh-perl526-perl=new |l-3/rh-perl524-perl=new,rhs |,rhscl-3/rh-perl524-perl=ne |cl-3/rh-perl520-perl=new |w,rhscl-3/rh-perl520-perl=n | |ew
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
--- Comment #2 from Petr Pisar ppisar@redhat.com --- Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package.
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|iarnell@gmail.com, |caolanm@redhat.com, |mmaslano@redhat.com, |john.j5live@gmail.com, |tcallawa@redhat.com |rstrode@redhat.com, | |steve@silug.org Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl=affected,rhel-5/perl=new |rl-Archive-Tar=affected,rhe |,rhel-6/perl=new,rhel-7/per |l-5/perl-Archive-Tar=new,rh |l=affected,rhel-8/perl=new, |el-6/perl=new,rhel-7/perl-A |rhscl-3/rh-perl526-perl=new |rchive-Tar=affected,rhel-8/ |,rhscl-3/rh-perl524-perl=ne |perl-Archive-Tar=new,rhscl- |w,rhscl-3/rh-perl520-perl=n |3/rh-perl526-perl-Archive-T |ew |ar=new,rhscl-3/rh-perl524-p | |erl-Archive-Tar=new,rhscl-3 | |/rh-perl520-perl-Archive-Ta | |r=new
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cbuissar@redhat.com
--- Comment #3 from Cedric Buissart cbuissar@redhat.com --- (In reply to Petr Pisar from comment #2)
Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package.
Corrected. However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
--- Comment #4 from Petr Pisar ppisar@redhat.com --- (In reply to Cedric Buissart from comment #3)
However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)
You are right. RHEL-5 also has a standalone perl-Archive-Tar. perl-5.8.8 never distributed Archive::Tar because upstream started to bundle it with perl sources since 5.9.3.
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl-Archive-Tar=affected,rhe |rl-Archive-Tar=affected,rhe |l-5/perl-Archive-Tar=new,rh |l-5/perl-Archive-Tar=new,rh |el-6/perl=new,rhel-7/perl-A |el-6/perl=affected,rhel-7/p |rchive-Tar=affected,rhel-8/ |erl-Archive-Tar=affected,rh |perl-Archive-Tar=new,rhscl- |el-8/perl-Archive-Tar=new,r |3/rh-perl526-perl-Archive-T |hscl-3/rh-perl526-perl-Arch |ar=new,rhscl-3/rh-perl524-p |ive-Tar=new,rhscl-3/rh-perl |erl-Archive-Tar=new,rhscl-3 |524-perl-Archive-Tar=new,rh |/rh-perl520-perl-Archive-Ta |scl-3/rh-perl520-perl-Archi |r=new |ve-Tar=new
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1591205
--- Comment #5 from Cedric Buissart cbuissar@redhat.com --- Created perl-Archive-Tar tracking bugs for this issue:
Affects: fedora-all [bug 1591205]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1591205 [Bug 1591205] CVE-2018-12015 perl-Archive-Tar: perl: Directory traversal in Archive::Tar [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl-Archive-Tar=affected,rhe |rl-Archive-Tar=affected,rhe |l-5/perl-Archive-Tar=new,rh |l-5/perl-Archive-Tar=new,rh |el-6/perl=affected,rhel-7/p |el-6/perl=affected,rhel-7/p |erl-Archive-Tar=affected,rh |erl-Archive-Tar=affected,rh |el-8/perl-Archive-Tar=new,r |el-8/perl-Archive-Tar=new,r |hscl-3/rh-perl526-perl-Arch |hscl-3/rh-perl526-perl-Arch |ive-Tar=new,rhscl-3/rh-perl |ive-Tar=affected,rhscl-3/rh |524-perl-Archive-Tar=new,rh |-perl524-perl-Archive-Tar=a |scl-3/rh-perl520-perl-Archi |ffected,rhscl-3/rh-perl520- |ve-Tar=new |perl-Archive-Tar=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |perl-Archive-Tar 2.28 Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl-Archive-Tar=affected,rhe |rl-Archive-Tar=affected,rhe |l-5/perl-Archive-Tar=new,rh |l-5/perl-Archive-Tar=new,rh |el-6/perl=affected,rhel-7/p |el-6/perl=affected,rhel-7/p |erl-Archive-Tar=affected,rh |erl-Archive-Tar=affected,rh |el-8/perl-Archive-Tar=new,r |el-8/perl-Archive-Tar=notaf |hscl-3/rh-perl526-perl-Arch |fected,rhscl-3/rh-perl526-p |ive-Tar=affected,rhscl-3/rh |erl-Archive-Tar=affected,rh |-perl524-perl-Archive-Tar=a |scl-3/rh-perl524-perl-Archi |ffected,rhscl-3/rh-perl520- |ve-Tar=affected,rhscl-3/rh- |perl-Archive-Tar=affected |perl520-perl-Archive-Tar=af | |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180607, |impact=low,public=20180607, |reported=20180607,source=cv |reported=20180607,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |:N,cwe=CWE-22,fedora-all/pe |:N,cwe=CWE-22,fedora-all/pe |rl-Archive-Tar=affected,rhe |rl-Archive-Tar=affected,rhe |l-5/perl-Archive-Tar=new,rh |l-5/perl-Archive-Tar=wontfi |el-6/perl=affected,rhel-7/p |x,rhel-6/perl=wontfix,rhel- |erl-Archive-Tar=affected,rh |7/perl-Archive-Tar=affected |el-8/perl-Archive-Tar=notaf |,rhel-8/perl-Archive-Tar=no |fected,rhscl-3/rh-perl526-p |taffected,rhscl-3/rh-perl52 |erl-Archive-Tar=affected,rh |6-perl-Archive-Tar=affected |scl-3/rh-perl524-perl-Archi |,rhscl-3/rh-perl524-perl-Ar |ve-Tar=affected,rhscl-3/rh- |chive-Tar=affected,rhscl-3/ |perl520-perl-Archive-Tar=af |rh-perl520-perl-Archive-Tar |fected |=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1588760 Bug 1588760 depends on bug 1591205, which changed state.
Bug 1591205 Summary: CVE-2018-12015 perl-Archive-Tar: perl: Directory traversal in Archive::Tar [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1591205
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DUPLICATE
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
--- Comment #8 from Fedora Update System updates@fedoraproject.org --- perl-Archive-Tar-2.28-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
--- Comment #9 from Fedora Update System updates@fedoraproject.org --- perl-Archive-Tar-2.28-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |medium Whiteboard|impact=low,public=20180607, |impact=moderate,public=2018 |reported=20180607,source=cv |0607,reported=20180607,sour |e,cvss3=3.3/CVSS:3.0/AV:L/A |ce=cve,cvss3=3.3/CVSS:3.0/A |C:L/PR:N/UI:R/S:U/C:N/I:L/A |V:L/AC:L/PR:N/UI:R/S:U/C:N/ |:N,cwe=CWE-22,fedora-all/pe |I:L/A:N,cwe=CWE-22,fedora-a |rl-Archive-Tar=affected,rhe |ll/perl-Archive-Tar=affecte |l-5/perl-Archive-Tar=wontfi |d,rhel-5/perl-Archive-Tar=w |x,rhel-6/perl=wontfix,rhel- |ontfix,rhel-6/perl=wontfix, |7/perl-Archive-Tar=affected |rhel-7/perl-Archive-Tar=aff |,rhel-8/perl-Archive-Tar=no |ected,rhel-8/perl-Archive-T |taffected,rhscl-3/rh-perl52 |ar=notaffected,rhscl-3/rh-p |6-perl-Archive-Tar=affected |erl526-perl-Archive-Tar=aff |,rhscl-3/rh-perl524-perl-Ar |ected,rhscl-3/rh-perl524-pe |chive-Tar=affected,rhscl-3/ |rl-Archive-Tar=affected,rhs |rh-perl520-perl-Archive-Tar |cl-3/rh-perl520-perl-Archiv |=affected |e-Tar=affected Severity|low |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1592804, 1592806, 1592803, | |1592805
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0607,reported=20180607,sour |0607,reported=20180607,sour |ce=cve,cvss3=3.3/CVSS:3.0/A |ce=cve,cvss3=3.3/CVSS:3.0/A |V:L/AC:L/PR:N/UI:R/S:U/C:N/ |V:L/AC:L/PR:N/UI:R/S:U/C:N/ |I:L/A:N,cwe=CWE-22,fedora-a |I:L/A:N,cwe=CWE-22,fedora-a |ll/perl-Archive-Tar=affecte |ll/perl-Archive-Tar=affecte |d,rhel-5/perl-Archive-Tar=w |d,rhel-5/perl-Archive-Tar=w |ontfix,rhel-6/perl=wontfix, |ontfix,rhel-6/perl=wontfix, |rhel-7/perl-Archive-Tar=aff |rhel-7/perl-Archive-Tar=aff |ected,rhel-8/perl-Archive-T |ected,rhel-8/perl-Archive-T |ar=notaffected,rhscl-3/rh-p |ar=notaffected,rhscl-3/rh-p |erl526-perl-Archive-Tar=aff |erl526-perl-Archive-Tar=aff |ected,rhscl-3/rh-perl524-pe |ected,rhscl-3/rh-perl524-pe |rl-Archive-Tar=affected,rhs |rl-Archive-Tar=affected,rhs |cl-3/rh-perl520-perl-Archiv |cl-3/rh-perl520-perl-Archiv |e-Tar=affected |e-Tar=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
Cedric Buissart cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0607,reported=20180607,sour |0607,reported=20180607,sour |ce=cve,cvss3=3.3/CVSS:3.0/A |ce=cve,cvss3=5.4/CVSS:3.0/A |V:L/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |I:L/A:N,cwe=CWE-22,fedora-a |I:L/A:L,cwe=CWE-22,fedora-a |ll/perl-Archive-Tar=affecte |ll/perl-Archive-Tar=affecte |d,rhel-5/perl-Archive-Tar=w |d,rhel-5/perl-Archive-Tar=w |ontfix,rhel-6/perl=wontfix, |ontfix,rhel-6/perl=wontfix, |rhel-7/perl-Archive-Tar=aff |rhel-7/perl-Archive-Tar=aff |ected,rhel-8/perl-Archive-T |ected,rhel-8/perl-Archive-T |ar=notaffected,rhscl-3/rh-p |ar=notaffected,rhscl-3/rh-p |erl526-perl-Archive-Tar=aff |erl526-perl-Archive-Tar=aff |ected,rhscl-3/rh-perl524-pe |ected,rhscl-3/rh-perl524-pe |rl-Archive-Tar=affected,rhs |rl-Archive-Tar=affected,rhs |cl-3/rh-perl520-perl-Archiv |cl-3/rh-perl520-perl-Archiv |e-Tar=wontfix |e-Tar=wontfix
--- Doc Text *updated* --- It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
--- Comment #11 from Cedric Buissart cbuissar@redhat.com --- Upstream fix: https://github.com/jib/archive-tar-new/commit/ae65651eab05
https://bugzilla.redhat.com/show_bug.cgi?id=1588760
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
https://bugzilla.redhat.com/show_bug.cgi?id=1588760 Bug 1588760 depends on bug 1588761, which changed state.
Bug 1588761 Summary: CVE-2018-12015 perl-Archive-Tar: perl: Directory traversal in Archive::Tar [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1588761
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
perl-devel@lists.fedoraproject.org