Ubuntu
tar package

[tar] [CVE-2007-4476] Buffer overflow

Bug #180299 reported by disabled.user
252
Affects Status Importance Assigned to Milestone
Fedora
Fix Released
Low
tar (Debian)
Fix Released
Unknown
tar (Gentoo Linux)
Fix Released
High
tar (Ubuntu)
Fix Released
Low
Unassigned
Declined for Feisty by Jamie Strandboge
Declined for Hardy by Jamie Strandboge
Dapper
Fix Released
Undecided
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: tar

References:
DSA-1438-1 (http://www.debian.org/security/2007/dsa-1438)
Bug #161173

Quoting:
'Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."'

I'm reporting this issue for tar, since I didn't found any correspoding USN.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4476
to the following vulnerability:

Bug in the safer_name_suffix function in GNU tar may lead to a "crashing
stack". It can be used to crash tar while extracting archive containing file
with long name containing unsafe prefix.

Affected function is also part of cpio source code.

References:

http://www.novell.com/linux/security/advisories/2007_18_sr.html
http://lists.gnu.org/archive/html/bug-cpio/2007-08/msg00002.html

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Upstream patch for paxutils / paxlib (used by recent versions of tar and cpio):

http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4

Revision history for this message
In , Radek (radek-redhat-bugs) wrote :

Created attachment 236281
patch for cpio-2.6

this patch should work for all affected software as the rest of patch from
comment #1 are just optimizations for memory usage (one malloc less)

Revision history for this message
In , Radek (radek-redhat-bugs) wrote :

Fedora builds of fixed tar are now complete (with the patch from upstream):
  tar-1.15.1-27.fc6
  tar-1.15.1-28.fc7
  tar-1.17-4.fc8
  tar-1.17-4.fc9

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

tar-1.15.1-28.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Radek (radek-redhat-bugs) wrote :

Created attachment 245931
new patch for cpio-2.6 (this one frees malloc'd memory)

Revision history for this message
In , Radek (radek-redhat-bugs) wrote :

fixed Fedora builds of cpio:
  cpio-2.6-22.fc6
  cpio-2.6-28.fc7
  cpio-2.9-5.fc8
  cpio-2.9-5.fc9

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

cpio-2.6-28.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

tar-1.17-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

cpio-2.9-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

Is this really a duplicate of Bug #161173, since Bug #161173 is mainly about package cpio? As I've written, I've opend this report because I couldn't find a USN about a fix for this issue for tar (well, neither for cpio).

Bug Watch Updater (bug-watch-updater)
Changed in tar:
status: Unknown → Fix Released
Revision history for this message
Till Ulen (tillulen) wrote :

It is very sad that CVE-2007-4476 hasn't received any attention from the security team for several months. After reading some high-level descriptions and changelogs, it looks like Feisty and Dapper are vulnerable and that this bug might lead to arbitrary code execution when unpacking a malicious file. Unpacking tarballs downloaded from the Internet is fairly common. The bug has been publicly disclosed a long time ago. If this bug is actually exploitable, it poses a considerable risk on the users.

It would be nice if someone from the Ubuntu security team could comment here about the status of this bug. Did you analyze the problem and found that it is not possible to exploit it? Is it going to be fixed in near future or maybe it's a WontFix?

Revision history for this message
Emanuele Gentili (emgent) wrote :

upstream_tar: 1.18
dapper_tar: needed
edgy_tar: needed
feisty_tar: needed
gutsy_tar: released (1.18-2ubuntu1)
hardy_tar: released (1.18-2ubuntu1)
hardy_tar: released (1.18-2ubuntu1)
devel_tar: released (1.18-2ubuntu1)

Changed in tar:
importance: Undecided → High
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in tar:
status: Unknown → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, Gutsy is affected, but Hardy and later are not. Feisty EOLd.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Reducing the priority cause this seems a crasher and not exploitable.

Changed in tar:
importance: High → Low
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tar - 1.18-2ubuntu1.1

---------------
tar (1.18-2ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: stack-based buffer overflow with malicious tar files
    - lib/paxnames.c: updated src/names.c to rewrite hash_string_prefix as
      hash_string_insert_prefix and adjust safer_name_suffix to use
      hash_string_insert_prefix to avoid stack allocation
    - patch from upstream paxlib commits:
      http://git.savannah.gnu.org/gitweb/?p=paxutils.git;a=commitdiff;h=b9199bbdefd32382953dd8c01ec881e5463c5a88
      http://git.savannah.gnu.org/gitweb/?p=paxutils.git;a=commitdiff;h=64379227940699a92113e3fd7c583e705a1f849b
    - CVE-2007-4476
    - LP: #180299

 -- Jamie Strandboge <email address hidden> Wed, 14 Jan 2009 11:06:24 -0600

Changed in tar:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-709-1

Changed in tar:
status: In Progress → Fix Released
Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0141 https://rhn.redhat.com/errata/RHSA-2010-0141.html

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0144 https://rhn.redhat.com/errata/RHSA-2010-0144.html

Bug Watch Updater (bug-watch-updater)
Changed in tar (Gentoo Linux):
importance: Unknown → High
Bug Watch Updater (bug-watch-updater)
Changed in fedora:
importance: Unknown → Low
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.