[Bug 881548] Re: Insecure use of tarfile module PRIOR to validation of the downloaded tarfile
Launchpad Bug Tracker
881548 at bugs.launchpad.net
Tue Nov 29 09:20:17 UTC 2011
This bug was fixed in the package update-manager - 1:0.154.5
---------------
update-manager (1:0.154.5) precise; urgency=low
[ Nicholas Skaggs ]
* lp:~nskaggs/update-manager/fix-for-702418:
- Removed gnome-power-manager dbus interface completely and
only use freedesktop interface.
Thanks to Nicholas Skaggs (LP: #702418)
[ Gabor Kelemen ]
* Replace gettext.install() with bindtextdomain() calls.
Work around crash in OptionParser when displaying
localized --help text, to not regress on bug LP: #557804
* Extract strings for translation from u-m-t and u-s-s executables
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary code execution via directory traversal
(LP: #881548)
- UpdateManager/Core/DistUpgradeFetcherCore.py: verify signature before
unpacking the tarball.
- CVE-2011-3152
* SECURITY UPDATE: information leak via insecure temp file (LP: #881541)
- DistUpgrade/DistUpgradeViewKDE.py: use mkstemp instead of mktemp.
- CVE-2011-3154
[ Michael Vogt ]
* UpdateManager/UpdateManager.py:
- ensure that the origin headers state of "select all/dselect all"
is consistent
-- Michael Vogt <michael.vogt at ubuntu.com> Tue, 29 Nov 2011 09:58:15 +0100
** Changed in: update-manager (Ubuntu Precise)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/881548
Title:
Insecure use of tarfile module PRIOR to validation of the downloaded
tarfile
Status in “update-manager” package in Ubuntu:
Fix Released
Status in “update-notifier” package in Ubuntu:
Invalid
Status in “update-manager” source package in Lucid:
Fix Released
Status in “update-notifier” source package in Lucid:
Fix Released
Status in “update-manager” source package in Maverick:
Fix Released
Status in “update-notifier” source package in Maverick:
Fix Released
Status in “update-manager” source package in Natty:
Fix Released
Status in “update-notifier” source package in Natty:
Fix Released
Status in “update-manager” source package in Oneiric:
Fix Released
Status in “update-notifier” source package in Oneiric:
Invalid
Status in “update-manager” source package in Precise:
Fix Released
Status in “update-notifier” source package in Precise:
Invalid
Status in “update-manager” source package in Hardy:
Fix Released
Status in “update-notifier” source package in Hardy:
Won't Fix
Bug description:
The way DistUpgrade/DistUpgradeFetcherCore.py uses tarfile is dangerous ...
The python documentation for tarfile[0] has a warning which states:
'Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". '
However, the code flow does the following under run()
#1 download the release tar file ... via
if not self.fetchDistUpgrader():
then it runs
#2 the vulnerable tarfile code via calling
if not self.extractDistUpgrader():
#3 after which it verifies the upgrade files ...
if not self.verifyDistUprader():
In the extractDistUpgrader method the vulnerable use of tarfile as follows:
def extractDistUpgrader(self):
# extract the tarbal
fname = os.path.join(self.tmpdir,os.path.basename(self.uri))
print "extracting '%s'" % os.path.basename(fname)
if not os.path.exists(fname):
return False
try:
tar = tarfile.open(self.tmpdir+"/"+os.path.basename(self.uri),"r")
for tarinfo in tar:
tar.extract(tarinfo)
tar.close()
As the tar.extract method is called on the 'tarinfo' which is not
'checked' or guarded against ../'s (path traversal) containing file-
names it would appear that the code is vulnerable to path traversal
...
[0]
http://docs.python.org/library/tarfile.html#tarfile.TarFile.extract
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/881548/+subscriptions
More information about the foundations-bugs
mailing list