thr3ads.net - Libguestfs - [Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar [Dec 2016]

If this information is useful, please help other people find it:
Share via:

Pino Toscano

2016-Dec-12 17:28 UTC

[Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar

Very recent versions of tar (most probably as a consequence of
CVE-2016-6321) may refuse archive members with '..', like the relative
paths to upper level directories.

Since these are just tests, simply copy the files in the temporary
directories where tar (or zip as well) is run, so all the files are in
the same directory.
---
 v2v/test-v2v-i-ova-formats.sh   | 9 +++++----
 v2v/test-v2v-i-ova-gz.sh        | 3 ++-
 v2v/test-v2v-i-ova-two-disks.sh | 3 ++-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/v2v/test-v2v-i-ova-formats.sh b/v2v/test-v2v-i-ova-formats.sh
index d113994..ab15f32 100755
--- a/v2v/test-v2v-i-ova-formats.sh
+++ b/v2v/test-v2v-i-ova-formats.sh
@@ -59,21 +59,22 @@ pushd $d
 truncate -s 10k disk1.vmdk
 sha=`do_sha1 disk1.vmdk`
 echo -e "SHA1(disk1.vmdk)= $sha\r" > disk1.mf
+cp ../test-v2v-i-ova-formats.ovf .
 
 for format in $formats; do
     case "$format" in
         tar)
-            tar -cf test-$format.ova ../test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
+            tar -cf test-$format.ova test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
             ;;
         zip)
-            zip -r test ../test-v2v-i-ova-formats.ovf disk1.vmdk disk1.mf
+            zip -r test test-v2v-i-ova-formats.ovf disk1.vmdk disk1.mf
             mv test.zip test-$format.ova
             ;;
         tar-gz)
-            tar -czf test-$format.ova ../test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
+            tar -czf test-$format.ova test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
             ;;
         tar-xz)
-            tar -cJf test-$format.ova ../test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
+            tar -cJf test-$format.ova test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
             ;;
         *)
             echo "Unhandled format '$format'"
diff --git a/v2v/test-v2v-i-ova-gz.sh b/v2v/test-v2v-i-ova-gz.sh
index a38e1b4..fe2da03 100755
--- a/v2v/test-v2v-i-ova-gz.sh
+++ b/v2v/test-v2v-i-ova-gz.sh
@@ -46,8 +46,9 @@ truncate -s 10k disk1.vmdk
 gzip disk1.vmdk
 sha=`do_sha1 disk1.vmdk.gz`
 echo -e "SHA1(disk1.vmdk.gz)= $sha\r" > disk1.mf
+cp ../test-v2v-i-ova-gz.ovf .
 
-tar -cf test.ova ../test-v2v-i-ova-gz.ovf disk1.vmdk.gz disk1.mf
+tar -cf test.ova test-v2v-i-ova-gz.ovf disk1.vmdk.gz disk1.mf
 popd
 
 # Run virt-v2v but only as far as the --print-source stage, and
diff --git a/v2v/test-v2v-i-ova-two-disks.sh b/v2v/test-v2v-i-ova-two-disks.sh
index aefd90e..2bd8a26 100755
--- a/v2v/test-v2v-i-ova-two-disks.sh
+++ b/v2v/test-v2v-i-ova-two-disks.sh
@@ -51,8 +51,9 @@ echo -e "SHA1(disk1.vmdk)= $sha\r" > disk1.mf
 truncate -s 100k disk2.vmdk
 sha=`do_sha1 disk2.vmdk`
 echo -e "SHA1(disk2.vmdk)= $sha\r" > disk2.mf
+cp ../test-v2v-i-ova-two-disks.ovf .
 
-tar -cf test.ova ../test-v2v-i-ova-two-disks.ovf disk1.vmdk disk1.mf disk2.vmdk
disk2.mf
+tar -cf test.ova test-v2v-i-ova-two-disks.ovf disk1.vmdk disk1.mf disk2.vmdk
disk2.mf
 popd
 
 # Run virt-v2v but only as far as the --print-source stage, and
-- 
2.7.4

Richard W.M. Jones

2016-Dec-12 19:33 UTC

head link

Re: [Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar

On Mon, Dec 12, 2016 at 06:28:02PM +0100, Pino Toscano
wrote:> Very recent versions of tar (most probably as a consequence of
> CVE-2016-6321) may refuse archive members with '..', like the
relative
> paths to upper level directories.
> 
> Since these are just tests, simply copy the files in the temporary
> directories where tar (or zip as well) is run, so all the files are in
> the same directory.
> ---
>  v2v/test-v2v-i-ova-formats.sh   | 9 +++++----
>  v2v/test-v2v-i-ova-gz.sh        | 3 ++-
>  v2v/test-v2v-i-ova-two-disks.sh | 3 ++-
>  3 files changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/v2v/test-v2v-i-ova-formats.sh b/v2v/test-v2v-i-ova-formats.sh
> index d113994..ab15f32 100755
> --- a/v2v/test-v2v-i-ova-formats.sh
> +++ b/v2v/test-v2v-i-ova-formats.sh
> @@ -59,21 +59,22 @@ pushd $d
>  truncate -s 10k disk1.vmdk
>  sha=`do_sha1 disk1.vmdk`
>  echo -e "SHA1(disk1.vmdk)= $sha\r" > disk1.mf
> +cp ../test-v2v-i-ova-formats.ovf .
>  
>  for format in $formats; do
>      case "$format" in
>          tar)
> -            tar -cf test-$format.ova ../test-v2v-i-ova-formats.ovf
disk1.vmdk disk1.mf
> +            tar -cf test-$format.ova test-v2v-i-ova-formats.ovf disk1.vmdk
disk1.mf
>              ;;
>          zip)
> -            zip -r test ../test-v2v-i-ova-formats.ovf disk1.vmdk disk1.mf
> +            zip -r test test-v2v-i-ova-formats.ovf disk1.vmdk disk1.mf
>              mv test.zip test-$format.ova
>              ;;
>          tar-gz)
> -            tar -czf test-$format.ova ../test-v2v-i-ova-formats.ovf
disk1.vmdk disk1.mf
> +            tar -czf test-$format.ova test-v2v-i-ova-formats.ovf
disk1.vmdk disk1.mf
>              ;;
>          tar-xz)
> -            tar -cJf test-$format.ova ../test-v2v-i-ova-formats.ovf
disk1.vmdk disk1.mf
> +            tar -cJf test-$format.ova test-v2v-i-ova-formats.ovf
disk1.vmdk disk1.mf
>              ;;
>          *)
>              echo "Unhandled format '$format'"
> diff --git a/v2v/test-v2v-i-ova-gz.sh b/v2v/test-v2v-i-ova-gz.sh
> index a38e1b4..fe2da03 100755
> --- a/v2v/test-v2v-i-ova-gz.sh
> +++ b/v2v/test-v2v-i-ova-gz.sh
> @@ -46,8 +46,9 @@ truncate -s 10k disk1.vmdk
>  gzip disk1.vmdk
>  sha=`do_sha1 disk1.vmdk.gz`
>  echo -e "SHA1(disk1.vmdk.gz)= $sha\r" > disk1.mf
> +cp ../test-v2v-i-ova-gz.ovf .
>  
> -tar -cf test.ova ../test-v2v-i-ova-gz.ovf disk1.vmdk.gz disk1.mf
> +tar -cf test.ova test-v2v-i-ova-gz.ovf disk1.vmdk.gz disk1.mf
>  popd
>  
>  # Run virt-v2v but only as far as the --print-source stage, and
> diff --git a/v2v/test-v2v-i-ova-two-disks.sh
b/v2v/test-v2v-i-ova-two-disks.sh
> index aefd90e..2bd8a26 100755
> --- a/v2v/test-v2v-i-ova-two-disks.sh
> +++ b/v2v/test-v2v-i-ova-two-disks.sh
> @@ -51,8 +51,9 @@ echo -e "SHA1(disk1.vmdk)= $sha\r" >
disk1.mf
>  truncate -s 100k disk2.vmdk
>  sha=`do_sha1 disk2.vmdk`
>  echo -e "SHA1(disk2.vmdk)= $sha\r" > disk2.mf
> +cp ../test-v2v-i-ova-two-disks.ovf .
>  
> -tar -cf test.ova ../test-v2v-i-ova-two-disks.ovf disk1.vmdk disk1.mf
disk2.vmdk disk2.mf
> +tar -cf test.ova test-v2v-i-ova-two-disks.ovf disk1.vmdk disk1.mf
disk2.vmdk disk2.mf
>  popd
>  
>  # Run virt-v2v but only as far as the --print-source stage, and
> -- 
> 2.7.4
Weird breakage in tar, but ACK.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

Tomáš Golembiovský

2016-Dec-12 23:02 UTC

head link

Re: [Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar

On Mon, 12 Dec 2016 18:28:02 +0100
Pino Toscano <ptoscano@redhat.com> wrote:
> Very recent versions of tar (most probably as a consequence of
> CVE-2016-6321) may refuse archive members with '..', like the
relative
> paths to upper level directories.
Well this should not concern us, I believe. The fix should only protect
when extracting tar archive from untrusted source. When you create a tar
archive using GNU tar it does automatically strip the leading '..' and
prints "tar: Removing leading `../' from member names". This has
been
there since I can remember.

That being said, your patch definitely won't do any harm.

    Tomas

--
Tomáš Golembiovský <tgolembi@redhat.com>

Seemingly Similar Threads

Search for more possibly parallel threads

Libguestfs - Dec 2016 - [PATCH] v2v: tests: avoid '..' in member names for tar

[Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar

Re: [Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar

Re: [Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar

Seemingly Similar Threads