From 593bdd8b8dbffafbd6a8c56f3d712b397828471b Mon Sep 17 00:00:00 2001 From: Andrew Fresh Date: Tue, 19 Jun 2018 00:43:11 +0000 Subject: Avoid Archive::Tar directory traversal Addresses CVE-2018-12015 From Silamael Original bug reports: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834 https://rt.cpan.org/Public/Bug/Display.html?id=125523 Original commit with the fix: https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 OK bluhm@, they should already be committed! deraadt@ --- gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'gnu/usr.bin/perl') diff --git a/gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm b/gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm index 6a047a32d6c..d110bd7bd8f 100644 --- a/gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm +++ b/gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm @@ -845,6 +845,20 @@ sub _extract_file { return; } + ### If a file system already contains a block device with the same name as + ### the being extracted regular file, we would write the file's content + ### to the block device. So remove the existing file (block device) now. + ### If an archive contains multiple same-named entries, the last one + ### should replace the previous ones. So remove the old file now. + ### If the old entry is a symlink to a file outside of the CWD, the new + ### entry would create a file there. This is CVE-2018-12015 + ### . + if (-l $full || -e _) { + if (!unlink $full) { + $self->_error( qq[Could not remove old file '$full': $!] ); + return; + } + } if( length $entry->type && $entry->is_file ) { my $fh = IO::File->new; $fh->open( '>' . $full ) or ( -- cgit v1.2.3