1. photon
  2. Commit dc284b26a4f3eda05d7b27b64700668755ff2575
Browse code

Fix for CVE-2018-12015 in Archive::Tar perl module

The Archive::Tar module of perl did not sanitize symbolic links and could be exploited by attacker to overwrite arbitrary files by using specially crafted archives. Fix santises the file entry being written by the module

Change-Id: I65334686526c177ff547160d3f6167dd4041d467
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5481
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George

dweepadvani authored on 2018/08/14 00:28:09
Showing 2 changed files
SPECS/perl/perl-CVE-2018-12015.patch
History View file @ dc284b2
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,45 @@
0 
+From d23726d0d3d30ce451c6eadda41a2df5446ead27 Mon Sep 17 00:00:00 2001
1 
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
2 
+Date: Fri, 8 Jun 2018 09:53:16 +0200
3 
+Subject: [PATCH] Remove existing files before overwriting them
4 
+MIME-Version: 1.0
5 
+Content-Type: text/plain; charset=UTF-8
6 
+Content-Transfer-Encoding: 8bit
7 
+
8 
+Archive should extract only the latest same-named entry.
9 
+Extracted regular file should not be writtent into existing block
10 
+device (or any other one).
11 
+
12 
+https://rt.cpan.org/Ticket/Display.html?id=125523
13 
+Signed-off-by: Petr Písař <ppisar@redhat.com>
14 
+---
15 
+ cpan/Archive-Tar/lib/Archive/Tar.pm | 14 ++++++++++++++
16 
+ 1 file changed, 14 insertions(+)
17 
+
18 
+
19 
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
20 
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
21 
+@@ -845,6 +845,20 @@ sub _extract_file {
22 
+         return;
23 
+     }
24 
+
25 
++    ### If a file system already contains a block device with the same name as
26 
++    ### the being extracted regular file, we would write the file's content
27 
++    ### to the block device. So remove the existing file (block device) now.
28 
++    ### If an archive contains multiple same-named entries, the last one
29 
++    ### should replace the previous ones. So remove the old file now.
30 
++    ### If the old entry is a symlink to a file outside of the CWD, the new
31 
++    ### entry would create a file there. This is CVE-2018-12015
32 
++    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
33 
++    if (-l $full || -e _) {
34 
++	if (!unlink $full) {
35 
++	    $self->_error( qq[Could not remove old file '$full': $!] );
36 
++	    return;
37 
++	}
38 
++    }
39 
+     if( length $entry->type && $entry->is_file ) {
40 
+         my $fh = IO::File->new;
41 
+         $fh->open( '>' . $full ) or (
42 
+--
43 
+2.14.4
SPECS/perl/perl.spec
History View file @ dc284b2
... ... 
@@ -9,7 +9,7 @@
9 9 
 Summary:        Practical Extraction and Report Language
10 10 
 Name:           perl
11 11 
 Version:        5.24.1
12 
-Release:        1%{?dist}
12 
+Release:        2%{?dist}
13 13 
 License:        GPLv1+
14 14 
 URL:            http://www.perl.org/
15 15 
 Group:          Development/Languages
... ... 
@@ -24,6 +24,7 @@ Patch2:         perl-CVE-2018-6797.patch
24 24 
 Patch3:         perl-CVE-2018-6798-1.patch
25 25 
 Patch4:         perl-CVE-2018-6798-2.patch
26 26 
 Patch5:         perl-CVE-2018-6913.patch
27 
+Patch6:         perl-CVE-2018-12015.patch
27 28 
 Provides:       perl >= 0:5.003000
28 29 
 Provides:       perl(getopts.pl)
29 30 
 Provides:       /bin/perl
... ... 
@@ -43,6 +44,7 @@ Report Language.
43 43 
 %patch3 -p1
44 44 
 %patch4 -p1
45 45 
 %patch5 -p1
46 
+%patch6 -p1
46 47
47 48 
 sed -i 's/-fstack-protector/&-all/' Configure
48 49
... ... 
@@ -75,6 +77,8 @@ unset BUILD_ZLIB BUILD_BZIP2
75 75 
 %{_libdir}/perl5/%{version}/*
76 76 
 %{_mandir}/*/*
77 77 
 %changelog
78 
+*   Wed Aug 08 2018 Dweep Advani <dadvani@vmware.com> 5.24.1-2
79 
+-   Fix CVE-2018-12015
78 80 
 *   Mon May 21 2018 Xiaolin <xiaolinl@vmware.com> 5.24.1-1
79 81 
 -   Fix CVE-2018-6797, CVE-2018-6798, CVE-2018-6913
80 82 
 *   Tue Oct 03 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.22.1-5