CVE-2016-6321 notes
I read this document but had a little trouble understanding it at first:
"Vulnerability: POINTYFEATHER aka Tar extract pathname bypass":
Tar will happily extract files & directories into an arbitrary location when supplied with a suitably crafted archive file. If a target system is extracting an attacker supplied file, the vulnerability can be exploited to gain file overwrite capability.
So, some notes:
tar has a long history of security issues. For example, tar files can
contain paths like /etc/motd
or /home/lizzie/.bashrc
or
../../.bashrc
. If these are extracted by a naive tar, they will be
written over existing files and probably give the author of the tar
file code execution.
So GNU tar has a feature to remove bad prefixes. For example,
lizzie@0ae488040cbf:~# tar tf bad.tar tar: Removing leading `../' from member names ../etc/motd lizzie@0ae488040cbf:~# tar xf bad.tar tar: Removing leading `../' from member names lizzie@0ae488040cbf:~# ls bad.tar etc lizzie@0ae488040cbf:~# ls etc/ motd
And also GNU tar lets you specify which files to extract from a tar file:
lizzie@0ae488040cbf:~# ls example.tar lizzie@0ae488040cbf:~# tar tf example.tar a b lizzie@0ae488040cbf:~# tar xf example.tar a lizzie@0ae488040cbf:~# ls a example.tar
But this isn't implemented the right way: first, the specification is checked, and then the bad prefixes are removed. So a maliciously-constructed path can match the specification, then be sanitized into something that may not match the specification, and then be extracted. So,
lizzie@0ae488040cbf:~# tar tf pointyfeather.tar tar: Removing leading `a/../' from member names a/../example lizzie@0ae488040cbf:~# tar xf pointyfeather.tar a tar: Removing leading `a/../' from member names lizzie@0ae488040cbf:~# ls example pointyfeather.tar
The fixed version bails out immediately (1.29-2 on Arch Linux):
[lizzie@empress misc]$ tar xf pointyfeather.tar a tar: Removing leading `a/../' from member names tar: a/../example: Member name contains '..' tar: Exiting with failure status due to previous errors