tar: CVE-2016-6321: Bypassing the extract path name

Debian Bug report logs - #842339
tar: CVE-2016-6321: Bypassing the extract path name

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2016-6321

Date: Fri, 28 Oct 2016 10:27:09 +0200

Package: tar
Version: 1.29b-1
Severity: grave
Tags: security

This has been assigned CVE-2016-6321:
https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt

Cheers,
        Moritz

Message #12 received at 842339@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Bdale Garbee <bdale@gag.com>, Carl Worth <cworth@cworth.org>

Cc: debian-lts@lists.debian.org, 842339@bugs.debian.org, security@debian.org, bug-tar@gnu.org

Subject: possible fixes for CVE-2016-6321

Date: Sat, 29 Oct 2016 14:52:54 -0400

Hi all,

(Debian maintainers, Debian security teams and upstream bug mailing list
in CC.)

I have added notes regarding the "/../" mismatch security issue in the
security tracker here:

https://security-tracker.debian.org/tracker/CVE-2016-6321

Basically, there's a proof of concept here:

https://sintonen.fi/advisories/tar-poc.tar

And a patch here:

https://sintonen.fi/advisories/tar-extract-pathname-bypass.patch

The issue has been resolved only on Gentoo so far and there is some
controversy with upstream regarding whether this is a real
vulnerability. From my point of view, it's a significant risk that is
well outlined in the advisory, as there is a mismatch error (you
wouldn't expect the etc/motd pattern to extract etc/passwd). But I
understand why there could be a discussion about this.

After reviewing the above patch myself, I also wonder if it is the right
solution: it simply removes checks for /../ in paths and replaces that
with a "deferred error" which translates to the familiar "Exiting with
failure status due to previous errors" when tar exits. But the malicious
paths are still extracted. Instead of giving the tree:

.
./etc
./etc/shadow

...the patched version gives the following tree:

.
./etc
./etc/motd
./etc/etc
./etc/etc/shadow

That is hardly satisfactory: a tar file with "etc/motd/../../etc/shadow"
would still overwrite the "./etc/shadow" file, I believe.

I strongly recommend *not* applying the patch given in the original
advisory as is: it just completely works around "/../" detection, and
upstream added that for a good reason.

I am not sure what the correct solution is. It seems to me this is a
typical input mismatch problem: you ask for "etc/motd" and get
"etc/shadow". ideally paths would be resolved before being matched,
which would work around the issue when asking for a specific path, but
not when extracting a whole archive...

The advisory suggests entries with "/../" could just be skipped. There
is no direct way to do this in the patched function: there is a
mechanism to process empty strings ('return "."')... but then this could
be abused to change the mode on "." when extracting. Yet it is
semantically pretty weird: this is designed for empty filenames, not for
skipping really.

Otherwise, we could just completely crash with a FATAL_EROR instead of
an ERROR:

--- a/lib/paxnames.c
+++ b/lib/paxnames.c
@@ -18,6 +18,7 @@
 #include <system.h>
 #include <hash.h>
 #include <paxlib.h>
+#include <quotearg.h>
 
 
 /* Hash tables of strings.  */
@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
       for (p = file_name + prefix_len; *p; )
 	{
           if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
-	    prefix_len = p + 2 - file_name;
+            {
+	      static char const *const diagnostic[] =
+	      {
+		N_("%s: Member name contains '..'"),
+		N_("%s: Hard link target contains '..'")
+	      };
+	      FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
+                            quotearg_colon (file_name)));
+	    }
 
 	  do
 	    {

I would love to get more feedback on this patch. With the above, the POC
yields:

[1093]anarcat@angela:t$ ../debian/tar/bin/tar vfx ~/Downloads/tar-poc.tar etc/motd
../debian/tar/bin/tar: etc/motd/../etc/shadow: Member name contains '..'
../debian/tar/bin/tar: Error is not recoverable: exiting now
[1094]anarcat@angela:t2$ find
.

Not so great, but not vulnerable anymore. :)

Note that star skips such files "since 2003":

http://lists.gnu.org/archive/html/bug-tar/2016-10/msg00013.html

I couldn't figure out how to easily skip archive members reliably in
tar, unfortunately. I found about skip_member(), but I'm not sure where
to throw it in: it seems we could throw a loop in extract_archive(), but
there aren't any safety checks in there so far: everything seems to be
done by rewriting the path before extraction in tar, as far as I can
see, so I am hesitant in trying to change that.

A.
-- 
The greatest crimes in the world are not committed by people breaking
the rules but by people following the rules. It's people who follow
orders that drop bombs and massacre villages.
                        - Bansky

Message #17 received at 842339@bugs.debian.org (full text, mbox, reply):

From: Paul Eggert <eggert@cs.ucla.edu>

To: Antoine Beaupré <anarcat@orangeseeds.org>, Bdale Garbee <bdale@gag.com>, Carl Worth <cworth@cworth.org>

Cc: security@debian.org, 842339@bugs.debian.org, debian-lts@lists.debian.org, bug-tar@gnu.org

Subject: Re: [Bug-tar] possible fixes for CVE-2016-6321

Date: Sat, 29 Oct 2016 21:19:09 -0700

[Message part 1 (text/plain, inline)]

Thanks for the heads-up. Yes, it appears the 2003 change was not sufficiently 
paranoid about ".." in member names. Luckily, the tar manual still documents the 
pre-2003 behavior, so we can restore that behavior as a simple bug fix. I 
installed the attached patch into Savannah as one way to do that. This patch 
causes 'tar' to issue two diagnostics when given a member name containing "..", 
and I suppose tar should be cleaned up at some point to issue just one 
diagnostic. The main thing, though, is that the patch is simple and fixes the 
security gotcha in question.

I don't view this as a serious bug, as the tar manual has long said that you 
should extract untrusted tarballs only into empty directories, and doing that 
forestalls the attack even without this patch. (There are other reasons for this 
longstanding recommendation.)

[0001-When-extracting-skip-.-members.patch (text/x-diff, attachment)]

Message #30 received at 842339@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Paul Eggert <eggert@cs.ucla.edu>, 842339@bugs.debian.org

Cc: Antoine Beaupr?? <anarcat@orangeseeds.org>, Bdale Garbee <bdale@gag.com>, Carl Worth <cworth@cworth.org>, security@debian.org, debian-lts@lists.debian.org, bug-tar@gnu.org

Subject: Re: Bug#842339: [Bug-tar] possible fixes for CVE-2016-6321

Date: Sun, 30 Oct 2016 08:07:14 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

(dropping the bug-tar list, since this reply only relevant within
Debian).

Hi Paul,

On Sat, Oct 29, 2016 at 09:19:09PM -0700, Paul Eggert wrote:
> Thanks for the heads-up. Yes, it appears the 2003 change was not
> sufficiently paranoid about ".." in member names. Luckily, the tar manual
> still documents the pre-2003 behavior, so we can restore that behavior as a
> simple bug fix. I installed the attached patch into Savannah as one way to
> do that. This patch causes 'tar' to issue two diagnostics when given a
> member name containing "..", and I suppose tar should be cleaned up at some
> point to issue just one diagnostic. The main thing, though, is that the
> patch is simple and fixes the security gotcha in question.
> 
> I don't view this as a serious bug, as the tar manual has long said that you
> should extract untrusted tarballs only into empty directories, and doing
> that forestalls the attack even without this patch. (There are other reasons
> for this longstanding recommendation.)

Thanks for the patch!

For reference, attached would be the debdiff for a possible unstable
and jessie-security upload.

Regards,
Salvatore

[tar_1.27.1-2+deb8u1.debdiff (text/plain, attachment)]

[tar_1.29b-1.1.debdiff (text/plain, attachment)]

Message #37 received at 842339-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 842339-close@bugs.debian.org

Subject: Bug#842339: fixed in tar 1.29b-1.1

Date: Mon, 31 Oct 2016 13:06:42 +0000

Source: tar
Source-Version: 1.29b-1.1

We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 842339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Oct 2016 07:35:31 +0100
Source: tar
Binary: tar tar-scripts
Architecture: source
Version: 1.29b-1.1
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 842339
Description: 
 tar        - GNU version of the tar archiving utility
 tar-scripts - optional scripts for GNU version of the tar archiving utility
Changes:
 tar (1.29b-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2016-6321: Bypassing the extract path name.
     When extracting, member names containing '..' components are skipped.
     (Closes: #842339)
Checksums-Sha1: 
 f29387983be4c4e187844b31a3dca5d9ba682350 2057 tar_1.29b-1.1.dsc
 b173024f3ab1f2ba77df662654ec588a19b85058 28484 tar_1.29b-1.1.debian.tar.xz
Checksums-Sha256: 
 9474ed422017e23e8208785c071b9f7765d73d704b9bb19da22699c6581d73ef 2057 tar_1.29b-1.1.dsc
 380f80af0e87446796f05ba384c5d130ea2ad5978b8cfdcf315503966333ebb9 28484 tar_1.29b-1.1.debian.tar.xz
Files: 
 038053747784adbbb0b56b1e58b0397c 2057 utils required tar_1.29b-1.1.dsc
 8ca20689e54964b05c6c4c51440762d1 28484 utils required tar_1.29b-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKPBAEBCgB5BQJYFZaYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRLW/
D/9rczehCKrzLD1yuYf+eDcxW0exnR4+94FVD6GPXn/JELgfe1dWHEq8H98QIHjw
sSFPlJJU1l0Yaqs1AlIdufQKs+okpEZRSjWJ4aam/2q0KLHyGHyFddQzCLaNxVDT
19AoJzbqXMRSS1e8fPqJZWInMRHk93usmR9OOwG/RAYuC57x79P6SquzYvfjQ6iH
j04Kb1KiNRwyE9AMHitBCipI5vLBin8DWa8IUWfvYp1gUBtURuasf2eqC5lvm3oS
y9mR4t6WBhgqEcfXVE6w+YH1LqKnXMKGO6coXOLJpHwEHE32W4CZ4c6YRHI47IGJ
669jpED+kYYlEJdnXWo4CtnmdiQWQdAqsjQxO6iCPxk4W8uB8MMXlxeWiBDqahW1
PVWrvF8Qf4ozqfaFMS9p2MvkvOD+arUAH5uOr+QIVZBjyecMPasDuP+TAzWffMaf
KYMcCupcwr27iF2nHkfG9NquqegcBZxbXJyGdClGRLcmckiuj0HOpHL3H06HP0B7
+mStvTLjUM6CKDu+YxwZ04przULv26sG9FlfFnAUTnVKlI0rN15HJO225LpbXvFF
CXcWsQtZkKxHZdJWsn9hsHXZeqe+cLuIUMjzR5oVT2Mygy32pAQmVnGil6wOBoMW
vyPN7PWdO6IyrBHgIdpXBShH+59QJFYyONidX6eizJmjog==
=qb9Q
-----END PGP SIGNATURE-----

Message #42 received at 842339@bugs.debian.org (full text, mbox, reply):

From: mohamad firdaus hasnan <mohamadfirdaushasnan@gmail.com>

To: 842339@bugs.debian.org

Subject: Re: [PATCH] When extracting, skip ".." members

Date: Sun, 6 Nov 2016 00:26:03 +0800

[Message part 1 (text/plain, inline)]

Date: Sat, 29 Oct 2016 21:04:40 -0700
>From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
>-------------
>Body: ur-type{attachments=[]; body=Package: tar
>Version: 1.29b-1
>Severity: grave
>Tags: security
>
>This has been assigned CVE-2016-6321:
>https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt
>
>Cheers,
>        Moritz
>
>; header=Received: (at submit) by bugs.debian.org; 28 Oct 2016 08:27:14
0000
>From jmm@debian.org Fri Oct 28 08:27:14 2016
>X-Spam-Checker-Version: SpamAssassin 3.4.0-bugs.debian.org_2005_01_02
> (2014-02-07) on buxtehude.debian.org
>X-Spam-Level:
>X-Spam-Status: No, score=-12.4 required=4.0 tests=BAYES_00,FROMDEVELOPER,
> HAS_PACKAGE,ONEWORD,RCVD_IN_DNSWL_MED,URIBL_CNKR,XMAILER_REPORTBUG,
> X_DEBBUGS_CC autolearn=ham autolearn_force=no
> version=3.4.0-bugs.debian.org_2005_01_02
>X-Spam-Bayes: score:0.0000 Tokens: new, 24; hammy, 84; neutral, 25;
spammy, 0.
> spammytokens: hammytokens:0.000- --H*x:6.6.6, 0.000- --H*UA:6.6.6,
> 0.000- --H*M:reportbug, 0.000- --H*MI:reportbug, 0.000- --H*x:reportbug
>Return-path: <jmm@debian.org>
>Received: from inutil.org ([83.151.30.8])
> by buxtehude.debian.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256)
> (Exim 4.84_2)
> (envelope-from <jmm@debian.org>)
> id 1c02VN-000643-Pb
> for submit@bugs.debian.org; Fri, 28 Oct 2016 08:27:13  0000
>Received: from dyndsl-095-033-044-233.ewe-ip-backbone.de ([95.33.44.233]
helo=pisco.westfalen.local)
> by inutil.org with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32)
> (Exim 4.72)
> (envelope-from <jmm@debian.org>)
> id 1c02VK-0003Vz-HE; Fri, 28 Oct 2016 10:27:10  0200
>Received: from jmm by pisco.westfalen.local with local (Exim 4.87)
> (envelope-from <jmm@debian.org>)
> id 1c02VJ-0006bv-1e; Fri, 28 Oct 2016 10:27:09  0200
>Content-Type: text/plain; charset="us-ascii"
>MIME-Version: 1.0
>Content-Transfer-Encoding: 7bit
>From: Moritz Muehlenhoff <jmm@debian.org>
>To: Debian Bug Tracking System <submit@bugs.debian.org>
>Subject: CVE-2016-6321
>Message-ID:
<147764322902.25315.15378751384226787950.reportbug@pisco.westfalen.local>
>X-Mailer: reportbug 6.6.6
>Date: Fri, 28 Oct 2016 10:27:09  0200
>X-Debbugs-Cc: Debian Security Team <team@security.debian.org>,
> Debian Testing Security Team
> <secure-testing-team@lists.alioth.debian.org>
>X-SA-Exim-Connect-IP: 95.33.44.233
>X-SA-Exim-Mail-From: jmm@debian.org
>X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
>Delivered-To: submit@bugs.debian.org

[Message part 2 (text/html, inline)]

Message #47 received at 842339-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 842339-close@bugs.debian.org

Subject: Bug#842339: fixed in tar 1.27.1-2+deb8u1

Date: Sat, 05 Nov 2016 18:47:41 +0000

Source: tar
Source-Version: 1.27.1-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 842339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Oct 2016 07:48:55 +0100
Source: tar
Binary: tar tar-scripts
Architecture: source
Version: 1.27.1-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 842339
Description: 
 tar        - GNU version of the tar archiving utility
 tar-scripts - optional scripts for GNU version of the tar archiving utility
Changes:
 tar (1.27.1-2+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2016-6321: Bypassing the extract path name.
     When extracting, member names containing '..' components are skipped.
     (Closes: #842339)
Checksums-Sha1: 
 7c0ccb9634e780a798889e835142730e094cb18a 2049 tar_1.27.1-2+deb8u1.dsc
 ff027757abf420beb2f09fa59b37debbd45b15dd 1704252 tar_1.27.1.orig.tar.xz
 39a2f53db5bc8d2b0d90aab3f9502a5abb4ae573 32632 tar_1.27.1-2+deb8u1.debian.tar.xz
Checksums-Sha256: 
 e42e96a9cdf325d7f030306735a1380276670deb72541a7f97ffe59a1e32e67b 2049 tar_1.27.1-2+deb8u1.dsc
 58169c5a03c04be20d3fb91010b01e822c6a58060a96e7cf2f9c1944de0151ab 1704252 tar_1.27.1.orig.tar.xz
 dc2e495770f6c1c79a4e299d4008c8cb1f91a48e823751bc95d7f26ae498f995 32632 tar_1.27.1-2+deb8u1.debian.tar.xz
Files: 
 d28624d0fbf4b3b28b0e56a34f28132c 2049 utils required tar_1.27.1-2+deb8u1.dsc
 992c029086ad2ab7c27d5c32db7d4400 1704252 utils required tar_1.27.1.orig.tar.xz
 fc2673e35962a76a9624d05b96fb0b46 32632 utils required tar_1.27.1-2+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKPBAEBCgB5BQJYFZmXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRNns
D/wIe9Ix9+BADZLYWUydM6edaN+hBlFL4bmW5SFKebmvkSwFnnOwv/zLHXde4NEd
2op7Ok8bCWIYI/Md67bWKstJjmGyMIg8Ez8csYNZjjsYnqkAFl2O9KMPFfFwIQjr
Xr092VZqyqlYpQaUi9Wvk5Pf9KyxJNA2yDiWXqM0Ry7V8JcK3ExetxcI35iSuWDQ
7G9c/Wmdr9Bsj+xeV43pPY1PjCuMOfAKDcsX95ZiZ2e8QgwDg2f0i0tIHpmYkdy1
gFMES81iZF1615I6lMbJNh/IXVRUjSmfMSfm/Sj94rfm3aSlgOvaBzXjkelAUzD+
IUfoHSWbq0jQd8HxhdtjRAgiHsgTaSHpmZwMrXVurD+1DWBKWMHgdmBXG4UfszYV
DI9TnfbJRwgnFHCpHDeETv51nOpnpu45g4tfBYX33PRFwZzJSA83/SPK9JpYWuF2
VwaVwVtNyAWQWLee0fPY1TC4Z7mjOU821aIbGBto5TpzlJLTbmtXhqtKnNNSMA31
MonpCspKJTza7njfl6NcTwDI6IoROHKHPrMoAuk+bXc5UujmbUS+1tO+1s3x+Awf
TjVOMBbtZ2RNdREKlzot1Td8zIXQZ+/aWD3nqNOgvjRbKUnr3oFI6XOBoT7oD20I
quL56ZpDEr3+PGryjOEfBaBEitDiN3Z+Z1g/7NR4+24Dlw==
=TiVx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.