 |
with SecurityTracker! | |
|
|
with SecurityTracker! | |
| Home | View Topics | Search | |
|
|
| Category: Application (Generic) > Perl | Vendors: Wall, Larry |
|
(OpenBSD Issues Fix) Perl Directory Traversal Flaw in Archive::Tar Lets Remote Users Ovewrite Files on the Target System
| ||
| SecurityTracker Alert ID: 1041346 | ||
| SecurityTracker URL: https://securitytracker.com/id/1041346 | ||
| CVE Reference: CVE-2018-12015 (Links to External Site) | ||
|
Date: Jul 19 2018
| ||
|
Impact:
Modification of user information | ||
|
Fix Available: Yes Vendor Confirmed: Yes | ||
|
| ||
|
Description:
A vulnerability was reported in Perl. A remote user can overwrite files on the target system. A remote user can create a specially crafted tar archive containing a file and a symbolic link (symlink) with the same name that, when extracted by the target user, will create a file outside of the current working directory. This can be exploited to create or overwrite files on the target system with the privileges of the target user. The Archive::Tar module is affected. Jakub Wilk reported this vulnerability. | ||
|
Impact:
A remote user can overwrite files on the target system. | ||
|
Solution:
OpenBSD has issued a fix for CVE-2018-12015 [in June 2018]. A source code patch is available at: https://ftp.openbsd.org/pub/OpenBSD/patches/6.2/common/016_perl.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/011_perl.patch.sig | ||
|
Cause:
Access control error, Input validation error | ||
| Underlying OS: UNIX (OpenBSD) | ||
| Underlying OS Comments: 6.2, 6.3 | ||
|
| ||
Message History:
This archive entry is a follow-up to the message listed below.
| ||
Source Message Contents | ||
| ||