Minitar directory traversal vulnerability

[ecneladis]

Overview

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/

Proof of Concept

~/current/tar_symlink ❯ tar -tvf symlink-overwrite.tar
lrwxrwxrwx  0 0      0           0 Jan  1  1970 ../../../../../../../../../../../../../../tmp/qwerty→

Actual behaviour:
~/current/tar_symlink ❯ rm -rf /tmp/qwerty1234
~/current/tar_symlink ❯ minitar extract symlink-overwrite.tar
~/current/tar_symlink ❯ ls -al /tmp/qwerty1234
-rwxrwxrwx 1 anon wheel 0 Jan 12 22:44 /tmp/qwerty1234

Desired behaviour:

~/current/tar_symlink ❯ tar -xf symlink-overwrite.tar
../../../../../../../../../../../../../../tmp/qwerty1234: Path contains '..'
tar: Error exit delayed from previous errors.

Example how bsdtar handles this kind of issues:

---

 o       Archive entries can have absolute pathnames.  By default, tar
         removes the leading / character from filenames before restoring
         them to guard against this problem.

 o       Archive entries can have pathnames that include .. components.
         By default, tar will not extract files containing .. components
         in their pathname.

 o       Archive entries can exploit symbolic links to restore files to
         other directories.  An archive can restore a symbolic link to
         another directory, then use that link to restore a file into that
         directory.  To guard against this, tar checks each extracted path
         for symlinks.  If the final path element is a symlink, it will be
         removed and replaced with the archive entry.  If -U is specified,
         any intermediate symlink will also be unconditionally removed.
         If neither -U nor -P is specified, tar will refuse to extract the
         entry.

---

Vulnerable, verified versions of gems:

~ ❯ gem list | grep tar
archive-tar-minitar (0.5.2)
minitar (0.5.4)

Related issue: atoulme/minitar#5

[mveytsman]

Hi @halostatue, I'm in the process of requesting a CVE for this issue. It looks like this has been resolved.

I see that the latest version on Rubygems is 0.5.4. Is this still a pre-release repo? Is it correct to say that it will be fixed in 0.6, whenever that's released?

[halostatue]

It is correct to say that will be fixed in 0.6. I hope to have this released soon but am trying to catch up on other stuff before I release this (which is a slightly breaking change).

[halostatue]

It’s blocked on #20, but that’s all on me.

[jordimassaguerpla]

This is a proposed patch for previous versions

https://bugzilla.opensuse.org/show_bug.cgi?id=1021740#c5

[carnil]

This issue has been assigned CVE-2016-10173

[CpuID]

Note, bundle-audit already catches minitar 0.5.4 as being vulnerable as per the CVE, and advises an upgrade to 0.6.0 which is yet-to-be-released. This may be failing CI jobs for some people who perform bundle-audit checks there (as we do).

[halostatue]

Thank you. I’m in the middle of a fairly busy week at work and do not expect to be able to finalize and prepare a release before the weekend at the earliest. Sorry for this, but this hasn’t been something at the top of my priority list because it’s not my paying job. I will try to get it done for the weekend.