Insecure use of tarfile module PRIOR to validation of the downloaded tarfile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
Fix Released
|
Critical
|
Michael Vogt | ||
Hardy |
Fix Released
|
High
|
Marc Deslauriers | ||
Lucid |
Fix Released
|
High
|
Marc Deslauriers | ||
Maverick |
Fix Released
|
High
|
Marc Deslauriers | ||
Natty |
Fix Released
|
High
|
Marc Deslauriers | ||
Oneiric |
Fix Released
|
High
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Critical
|
Michael Vogt | ||
update-notifier (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Hardy |
Won't Fix
|
High
|
Marc Deslauriers | ||
Lucid |
Fix Released
|
High
|
Marc Deslauriers | ||
Maverick |
Fix Released
|
High
|
Marc Deslauriers | ||
Natty |
Fix Released
|
High
|
Marc Deslauriers | ||
Oneiric |
Invalid
|
High
|
Marc Deslauriers | ||
Precise |
Invalid
|
High
|
Unassigned |
Bug Description
The way DistUpgrade/
The python documentation for tarfile[0] has a warning which states:
'Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". '
However, the code flow does the following under run()
#1 download the release tar file ... via
if not self.fetchDistU
then it runs
#2 the vulnerable tarfile code via calling
if not self.extractDis
#3 after which it verifies the upgrade files ...
if not self.verifyDist
In the extractDistUpgrader method the vulnerable use of tarfile as follows:
def extractDistUpgr
# extract the tarbal
fname = os.path.
print "extracting '%s'" % os.path.
if not os.path.
try:
tar = tarfile.
for tarinfo in tar:
As the tar.extract method is called on the 'tarinfo' which is not 'checked' or guarded against ../'s (path traversal) containing file-names it would appear that the code is vulnerable to path traversal ...
[0] http://
Related branches
Changed in update-manager (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in update-manager (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in update-manager (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in update-manager (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in update-manager (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in update-manager (Ubuntu Hardy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in update-manager (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in update-manager (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in update-manager (Ubuntu Maverick): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in update-manager (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in update-manager (Ubuntu Hardy): | |
importance: | Undecided → High |
Changed in update-manager (Ubuntu Lucid): | |
importance: | Undecided → High |
Changed in update-manager (Ubuntu Maverick): | |
importance: | Undecided → High |
Changed in update-manager (Ubuntu Natty): | |
importance: | Undecided → High |
Changed in update-manager (Ubuntu Oneiric): | |
importance: | Undecided → High |
Changed in update-notifier (Ubuntu Hardy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in update-notifier (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in update-notifier (Ubuntu Maverick): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in update-notifier (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in update-notifier (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in update-notifier (Ubuntu Precise): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in update-notifier (Ubuntu Oneiric): | |
status: | Confirmed → Invalid |
Changed in update-notifier (Ubuntu Precise): | |
status: | Confirmed → Invalid |
Changed in update-notifier (Ubuntu Hardy): | |
status: | Confirmed → Won't Fix |
visibility: | private → public |
Michael, could you please take a look and confirm? Thanks.