Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in app-arch/tar |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: app-arch/tar Package Version: [cpe:/a:gnu:tar:1.28] Advisory: CVE-2016-6321 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-6321 CVSS severity score: 5/10.0 Confidence: high Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.
,
Dec 16 2016
,
Dec 16 2016
,
Dec 16 2016
we use tar, but i don't think to process untrusted inputs. the Files.app uses NaCl to do it as the user.
,
Dec 20 2016
Turns out the tar upgrade actually breaks the autotest build: # emerge-$BOARD -1 autotest Calculating dependencies... done! >>> Emerging (1 of 1) chromeos-base/autotest-0.0.2-r7797::chromiumos for /build/cyan/ * Running stacked hooks for pre_pkg_setup * sysroot_build_bin_dir ... [ ok ] * Running stacked hooks for pre_src_unpack * python_multilib_setup ... [ ok ] >>> Unpacking source... Cloning into '/build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/work/autotest-0.0.2'... done. >>> Source unpacked in /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/work * Running stacked hooks for post_src_unpack * asan_init ... [ ok ] >>> Preparing source in /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/work/autotest-0.0.2 ... cp: cannot stat '/build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/work/autotest-0.0.2/conmux': No such file or directory >>> Source prepared. >>> Configuring source in /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/work/autotest-0.0.2 ... >>> Source configured. >>> Compiling source in /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/work/autotest-0.0.2 ... >>> Source compiled. >>> Test phase [not enabled]: chromeos-base/autotest-0.0.2-r7797 >>> Install autotest-0.0.2-r7797 into /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/image/ category chromeos-base >>> Completed installing autotest-0.0.2-r7797 into /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/image/ * Generating license for chromeos-base/autotest-0.0.2-r7797 in /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797 22:49:51: INFO: Read licenses for chromeos-base/autotest-0.0.2-r7797: GPL-2 22:49:51: INFO: chromeos-base/autotest-0.0.2-r7797: using stock|cust license(s) GPL-2 * Removing /usr/lib*/*.la * Removing /etc/init.d * Removing /etc/conf.d * Removing /etc/logrotate.d * Removing /etc/sandbox.d * Removing /usr/share/bash-completion tar: Write checkpoint 1000 tar: Write checkpoint 2000 tar: Write checkpoint 3000 >>> Done. >>> Installing (1 of 1) chromeos-base/autotest-0.0.2-r7797::chromiumos to /build/cyan/ * Removing /usr/lib*/*.la * Removing /etc/init.d * Removing /etc/conf.d * Removing /etc/logrotate.d * Removing /etc/sandbox.d * Removing /usr/share/bash-completion * Removing /usr/share/man * Removing /usr/share/info * Removing /usr/share/doc * Running stacked hooks for pre_pkg_preinst * wrap_old_config_scripts ... [ ok ] DEBUG:root:Running 'cd /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/temp/tmp7k2AOA && df -PB 1000000000 . | tail -1' DEBUG:root:Running 'tar -cf /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/temp/tmp7k2AOA/client-autotest.tar.bz2.tmp -C /build/cyan/usr/local/build/autotest/client --use-compress-prog=pbzip2 --exclude=deps/* --exclude=tests/* --exclude=site_tests/* --exclude=**.pyc --exclude=profilers/cros_perf --exclude=profilers/oprofile --exclude=profilers/ftrace --exclude=profilers/blktrace --exclude=profilers/pgo --exclude=profilers/lttng --exclude=profilers/custom_perf --exclude=profilers/powertop --exclude=profilers/cpistat --exclude=profilers/iostat --exclude=profilers/sar --exclude=profilers/vmstat --exclude=profilers/mpstat --exclude=profilers/catprofile --exclude=profilers/readprofile --exclude=profilers/lockmeter --exclude=profilers/cmdprofile --exclude=profilers/perf . ../global_config.ini' ERROR:root:[stderr] tar: ../global_config.ini: Member name contains '..' ERROR:root:[stderr] tar: Exiting with failure status due to previous errors Processing autotest ... Traceback (most recent call last): File "/build/cyan//usr/local/build/autotest/utils/packager.py", line 301, in <module> main() File "/build/cyan//usr/local/build/autotest/utils/packager.py", line 279, in main remove=remove_flag) File "/build/cyan//usr/local/build/autotest/utils/packager.py", line 111, in process_packages temp_dir, exclude_string) File "/build/cyan/usr/local/build/autotest/client/common_lib/base_packages.py", line 811, in tar_package utils.system(' '.join(cmd_list)) File "/build/cyan/usr/local/build/autotest/client/common_lib/base_utils.py", line 1006, in system stdout_tee=TEE_TO_LOGS, stderr_tee=TEE_TO_LOGS).exit_status File "/build/cyan/usr/local/build/autotest/client/common_lib/base_utils.py", line 740, in run "Command returned non-zero exit status") autotest_lib.client.common_lib.error.CmdError: Command <tar -cf /build/cyan/tmp/portage/chromeos-base/autotest-0.0.2-r7797/temp/tmp7k2AOA/client-autotest.tar.bz2.tmp -C /build/cyan/usr/local/build/autotest/client --use-compress-prog=pbzip2 --exclude=deps/* --exclude=tests/* --exclude=site_tests/* --exclude=**.pyc --exclude=profilers/cros_perf --exclude=profilers/oprofile --exclude=profilers/ftrace --exclude=profilers/blktrace --exclude=profilers/pgo --exclude=profilers/lttng --exclude=profilers/custom_perf --exclude=profilers/powertop --exclude=profilers/cpistat --exclude=profilers/iostat --exclude=profilers/sar --exclude=profilers/vmstat --exclude=profilers/mpstat --exclude=profilers/catprofile --exclude=profilers/readprofile --exclude=profilers/lockmeter --exclude=profilers/cmdprofile --exclude=profilers/perf . ../global_config.ini> failed, rc=2, Command returned non-zero exit status * Command: tar -cf /build/cyan/tmp/portage/chromeos- base/autotest-0.0.2-r7797/temp/tmp7k2AOA/client-autotest.tar.bz2.tmp -C /build/cyan/usr/local/build/autotest/client --use-compress-prog=pbzip2 --exclude=deps/* --exclude=tests/* --exclude=site_tests/* --exclude=**.pyc --exclude=profilers/cros_perf --exclude=profilers/oprofile --exclude=profilers/ftrace --exclude=profilers/blktrace --exclude=profilers/pgo --exclude=profilers/lttng --exclude=profilers/custom_perf --exclude=profilers/powertop --exclude=profilers/cpistat --exclude=profilers/iostat --exclude=profilers/sar --exclude=profilers/vmstat --exclude=profilers/mpstat --exclude=profilers/catprofile --exclude=profilers/readprofile --exclude=profilers/lockmeter --exclude=profilers/cmdprofile --exclude=profilers/perf . ../global_config.ini Exit status: 2 Duration: 0.320526838303 stderr: tar: ../global_config.ini: Member name contains '..' tar: Exiting with failure status due to previous errors >>> Auto-cleaning packages... >>> Using system located in ROOT tree /build/cyan/ >>> No outdated packages were found on your system.
,
Dec 20 2016
looks like the patch we added in Gentoo to fix CVE-2016-6321 was taken from the security researchers and not from the upstream GNU tar project. it disabled the use of .. during extraction, but it also incorrectly broke creation. i've pushed 1.29-r2 upstream to fix.
,
Dec 21 2016
Thanks for the updated ebuild - I was going to fix the TODO on the line that adds the ../global_config.ini to make things work with the 1.29-r1 ebuild, but that's no longer necessary :-D I've updated the CL to pick up 1.29-r2.
,
Dec 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/1c01865da89b8c891309808960053323c0672e31 commit 1c01865da89b8c891309808960053323c0672e31 Author: Mattias Nissler <mnissler@chromium.org> Date: Fri Dec 16 13:58:59 2016 app-arch/tar: Upgrade to tar-1.29-r2 This brings in the new version from upstream. Only change vs. upstream is the KEYWORDS="*" change. BUG= chromium:674472 TEST=emerge-cyan -v1 app-arch/tar Change-Id: Icc9c7365f95067d97f4b8ec3836a25ffb5b7a058 Reviewed-on: https://chromium-review.googlesource.com/421526 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/1c01865da89b8c891309808960053323c0672e31/app-arch/tar/files/tar-1.29-extract-pathname-bypass-upstream.patch [add] https://crrev.com/1c01865da89b8c891309808960053323c0672e31/app-arch/tar/files/tar-1.29-extract-pathname-bypass.patch [rename] https://crrev.com/1c01865da89b8c891309808960053323c0672e31/app-arch/tar/tar-1.29-r2.ebuild [modify] https://crrev.com/1c01865da89b8c891309808960053323c0672e31/app-arch/tar/metadata.xml [modify] https://crrev.com/1c01865da89b8c891309808960053323c0672e31/app-arch/tar/Manifest
,
Dec 22 2016
,
Dec 22 2016
,
Jan 24 2017
,
Mar 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/cbf7777f414cdc54f729982cc0886f83b26e9578 commit cbf7777f414cdc54f729982cc0886f83b26e9578 Author: Mattias Nissler <mnissler@chromium.org> Date: Tue Apr 18 05:50:20 2017 Pull in upstream tar-1.29-r3. The new version fixes an issue introduced by the previous security fix in -r2. Only change vs. upstream is KEYWORDS="*". BUG= chromium:674472 TEST=emerge-cyan -v1 app-arch/tar Change-Id: I97d5e00b4d14304f214404de8ea7d8607f701872 Reviewed-on: https://chromium-review.googlesource.com/471587 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/cbf7777f414cdc54f729982cc0886f83b26e9578/app-arch/tar/files/tar-1.29-add-files.patch [rename] https://crrev.com/cbf7777f414cdc54f729982cc0886f83b26e9578/app-arch/tar/tar-1.29-r3.ebuild
,
May 30 2017
,
Aug 1 2017
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mnissler@chromium.org
, Dec 16 2016Components: OS>Packages
Labels: Security_Severity-Medium Security_Impact-Stable
Owner: mnissler@chromium.org
Status: Started (was: Untriaged)