The Archive::Tar module of perl did not sanitize symbolic links and could be exploited by attacker to overwrite arbitrary files by using specially crafted archives. Fix santises the file entry being written by the module
Change-Id: I65334686526c177ff547160d3f6167dd4041d467
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5481
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,45 @@ |
0 |
+From d23726d0d3d30ce451c6eadda41a2df5446ead27 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> |
|
2 |
+Date: Fri, 8 Jun 2018 09:53:16 +0200 |
|
3 |
+Subject: [PATCH] Remove existing files before overwriting them |
|
4 |
+MIME-Version: 1.0 |
|
5 |
+Content-Type: text/plain; charset=UTF-8 |
|
6 |
+Content-Transfer-Encoding: 8bit |
|
7 |
+ |
|
8 |
+Archive should extract only the latest same-named entry. |
|
9 |
+Extracted regular file should not be writtent into existing block |
|
10 |
+device (or any other one). |
|
11 |
+ |
|
12 |
+https://rt.cpan.org/Ticket/Display.html?id=125523 |
|
13 |
+Signed-off-by: Petr Písař <ppisar@redhat.com> |
|
14 |
+--- |
|
15 |
+ cpan/Archive-Tar/lib/Archive/Tar.pm | 14 ++++++++++++++ |
|
16 |
+ 1 file changed, 14 insertions(+) |
|
17 |
+ |
|
18 |
+ |
|
19 |
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm |
|
20 |
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm |
|
21 |
+@@ -845,6 +845,20 @@ sub _extract_file { |
|
22 |
+ return; |
|
23 |
+ } |
|
24 |
+ |
|
25 |
++ ### If a file system already contains a block device with the same name as |
|
26 |
++ ### the being extracted regular file, we would write the file's content |
|
27 |
++ ### to the block device. So remove the existing file (block device) now. |
|
28 |
++ ### If an archive contains multiple same-named entries, the last one |
|
29 |
++ ### should replace the previous ones. So remove the old file now. |
|
30 |
++ ### If the old entry is a symlink to a file outside of the CWD, the new |
|
31 |
++ ### entry would create a file there. This is CVE-2018-12015 |
|
32 |
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. |
|
33 |
++ if (-l $full || -e _) { |
|
34 |
++ if (!unlink $full) { |
|
35 |
++ $self->_error( qq[Could not remove old file '$full': $!] ); |
|
36 |
++ return; |
|
37 |
++ } |
|
38 |
++ } |
|
39 |
+ if( length $entry->type && $entry->is_file ) { |
|
40 |
+ my $fh = IO::File->new; |
|
41 |
+ $fh->open( '>' . $full ) or ( |
|
42 |
+-- |
|
43 |
+2.14.4 |
... | ... |
@@ -9,7 +9,7 @@ |
9 | 9 |
Summary: Practical Extraction and Report Language |
10 | 10 |
Name: perl |
11 | 11 |
Version: 5.24.1 |
12 |
-Release: 1%{?dist} |
|
12 |
+Release: 2%{?dist} |
|
13 | 13 |
License: GPLv1+ |
14 | 14 |
URL: http://www.perl.org/ |
15 | 15 |
Group: Development/Languages |
... | ... |
@@ -24,6 +24,7 @@ Patch2: perl-CVE-2018-6797.patch |
24 | 24 |
Patch3: perl-CVE-2018-6798-1.patch |
25 | 25 |
Patch4: perl-CVE-2018-6798-2.patch |
26 | 26 |
Patch5: perl-CVE-2018-6913.patch |
27 |
+Patch6: perl-CVE-2018-12015.patch |
|
27 | 28 |
Provides: perl >= 0:5.003000 |
28 | 29 |
Provides: perl(getopts.pl) |
29 | 30 |
Provides: /bin/perl |
... | ... |
@@ -43,6 +44,7 @@ Report Language. |
43 | 43 |
%patch3 -p1 |
44 | 44 |
%patch4 -p1 |
45 | 45 |
%patch5 -p1 |
46 |
+%patch6 -p1 |
|
46 | 47 |
|
47 | 48 |
sed -i 's/-fstack-protector/&-all/' Configure |
48 | 49 |
|
... | ... |
@@ -75,6 +77,8 @@ unset BUILD_ZLIB BUILD_BZIP2 |
75 | 75 |
%{_libdir}/perl5/%{version}/* |
76 | 76 |
%{_mandir}/*/* |
77 | 77 |
%changelog |
78 |
+* Wed Aug 08 2018 Dweep Advani <dadvani@vmware.com> 5.24.1-2 |
|
79 |
+- Fix CVE-2018-12015 |
|
78 | 80 |
* Mon May 21 2018 Xiaolin <xiaolinl@vmware.com> 5.24.1-1 |
79 | 81 |
- Fix CVE-2018-6797, CVE-2018-6798, CVE-2018-6913 |
80 | 82 |
* Tue Oct 03 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.22.1-5 |