Bug 42893
| Summary: | tar: overwrite arbitrary files through crafted files (4.1) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Arvid Requate <requate> |
| Component: | Security updates | Assignee: | Arvid Requate <requate> |
| Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
| Severity: | normal | ||
| Priority: | P3 | Flags: | requate:
Patch_Available+
|
| Version: | UCS 4.1 | ||
| Target Milestone: | UCS 4.1-4-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 42894 | ||
|
Description
Arvid Requate
Advisory: tar.yaml OK: advisory OK: tried POC: root@slave45:~# wget http://updates-test.software-univention.de/4.0/maintained/4.0-0/amd64/tar_1.26+dfsg-0.1.37.201403250428_amd64.deb root@slave45:~# dpkg -l tar ii tar 1.26+dfsg-0.1.37. amd64 root@slave45:~# curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd tar: Entferne führende „etc/motd/../“ von Elementnamen etc/motd/../etc/shadow root@slave45:~# ls -l etc/ insgesamt 4 -rw------- 1 root root 21 Mär 11 2016 shadow root@slave45:~# cat etc/shadow root::0:0:99999:7::: root@slave45:~# rm -r etc root@slave45:~# univention-upgrade --ignoressh --ignoreterm root@slave45:~# dpkg -l tar ii tar 1.26+dfsg-0.1.38. amd64 root@slave45:~# curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd tar: Entferne führende „etc/motd/../“ von Elementnamen tar: etc/motd/../etc/shadow: Member name contains '..' tar: Beende mit Fehlerstatus aufgrund vorheriger Fehler root@slave45:~# ls -la etc ls: Zugriff auf etc nicht möglich: Datei oder Verzeichnis nicht gefunden |