[Bug 881548] Re: Insecure use of tarfile module PRIOR to validation of the downloaded tarfile

Marc Deslauriers marc.deslauriers at canonical.com
Mon Nov 28 18:02:42 UTC 2011 

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/881548

Title:
  Insecure use of tarfile module PRIOR to validation of the downloaded
  tarfile

Status in “update-manager” package in Ubuntu:
  In Progress
Status in “update-notifier” package in Ubuntu:
  Invalid
Status in “update-manager” source package in Lucid:
  Fix Released
Status in “update-notifier” source package in Lucid:
  Fix Released
Status in “update-manager” source package in Maverick:
  Fix Released
Status in “update-notifier” source package in Maverick:
  Fix Released
Status in “update-manager” source package in Natty:
  Fix Released
Status in “update-notifier” source package in Natty:
  Fix Released
Status in “update-manager” source package in Oneiric:
  Fix Released
Status in “update-notifier” source package in Oneiric:
  Invalid
Status in “update-manager” source package in Precise:
  In Progress
Status in “update-notifier” source package in Precise:
  Invalid
Status in “update-manager” source package in Hardy:
  Fix Released
Status in “update-notifier” source package in Hardy:
  Won't Fix

Bug description:
  The way DistUpgrade/DistUpgradeFetcherCore.py uses tarfile is dangerous ...  
  The python documentation for tarfile[0] has a warning which states:
  'Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". '

  However, the code flow does the following under run()        
  #1 download the release tar file ... via 
     if not self.fetchDistUpgrader():

  then it  runs 
  #2  the vulnerable tarfile code via calling 
  if not self.extractDistUpgrader():

  #3 after which it verifies the upgrade files ... 
          if not self.verifyDistUprader():

  
  In the extractDistUpgrader method the vulnerable use of tarfile as follows:
      def extractDistUpgrader(self):
            # extract the tarbal
            fname = os.path.join(self.tmpdir,os.path.basename(self.uri))
            print "extracting '%s'" % os.path.basename(fname)
            if not os.path.exists(fname):
                return False
            try:
                tar = tarfile.open(self.tmpdir+"/"+os.path.basename(self.uri),"r")
                for tarinfo in tar:
                    tar.extract(tarinfo)
                tar.close()

  As the tar.extract method is called on the 'tarinfo' which is not
  'checked' or guarded against ../'s (path traversal) containing file-
  names it would appear that the code is vulnerable to path traversal
  ...




  [0]
  http://docs.python.org/library/tarfile.html#tarfile.TarFile.extract

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/881548/+subscriptions

More information about the foundations-bugs mailing list