Debian Bug report logs - #597672
rmt broken by the security fix in 1.20-1+lenny1 version of tar

version graph

Package: tar; Maintainer for tar is Bdale Garbee <bdale@gag.com>; Source for tar is src:tar.

Reported by: Dennis Vshivkov <walrus@amur.ru>

Date: Wed, 22 Sep 2010 01:42:01 UTC

Severity: important

Found in version tar/1.20-1+lenny1

Fixed in version tar/1.23-3

Done: Bdale Garbee <bdale@gag.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#597672; Package tar. (Wed, 22 Sep 2010 01:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dennis Vshivkov <walrus@amur.ru>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. (Wed, 22 Sep 2010 01:42:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dennis Vshivkov <walrus@amur.ru>
To: submit@bugs.debian.org
Subject: rmt broken by the security fix in 1.20-1+lenny1 version of tar
Date: Wed, 22 Sep 2010 13:29:26 +1200
Package: tar
Version: 1.20-1+lenny1
Severity: important
Tag: patch

According to the changelog, the latest version of tar package in
lenny replaced rmt source with the one from paxutils for
security reasons.  Unfortunately, it also made it impossible to
use tar and rmt together.

Here's what happens if one tries to tar to a remote file (ssh
plays the role of rsh, as is common nowadays):

    $ tar cf localhost:foo.tar a-file
    Password:
    <... hangs forever ...>

Here's what the rmt binary is doing at the other end:

    ...
    fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77f5000
    read(0, "Ofoo.tar\n65 O_WRONLY|O_CREAT\n"..., 4096) = 29
    fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77f4000
    read(0,
    <... hangs forever ...>

So, rmt receives the O command from tar, does not respond and
expects more commands.  And tar keeps awaiting the response to
the O command.  Both hang indefinitely.

After looking at the new rmt source code, it is rather puzzling
how that rmt from paxutils could ever work.  The problem is that
it uses stdio for its stdout, and by default that is block
buffered.  Let's try fixing that for stdout, and to boot, for
the debug file output of the new rmt, that has the same problem:

--- tar-1.20/rmt/rmt.c  2010-09-22 12:12:15.000000000 +1200
+++ tar-1.20/rmt/rmt.c  2010-09-22 12:16:09.000000000 +1200
@@ -696,6 +696,7 @@ parse_opt (int key, char *arg, struct ar
       dbgout = fopen (arg, "w");
       if (!dbgout)
        error (EXIT_FAILURE, errno, _("cannot open %s"), arg);
+      setlinebuf(dbgout);
       break;

     case ARGP_KEY_FINI:
@@ -745,6 +746,7 @@ main (int argc, char **argv)
   int idx;
   int stop = 0;

+  setlinebuf(stdout);
   program_name = argv[0];
   // argp_version_setup ("rmt", rmt_authors);


That isn't enough, however:

    $ tar cf localhost:foo.tar a-file
    Password:
    tar: localhost\:foo.tar: Cannot open: Invalid argument
    tar: Error is not recoverable: exiting now

This further problem is now revealed by strace of the rmt side:

    ...
    fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77bf000
    read(0, "Ofoo.tar\n65 O_WRONLY|O_CREAT\n"..., 4096) = 29
    fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77be000
    write(1, "E22\n"..., 4)           = 4
    write(1, "invalid open mode\n"..., 18) = 18
    read(0, ""..., 4096)              = 0
    exit_group(0)                     = ?

The decode_open_flag() function in the rmt from paxutils can not
cope with the `65 O_WRONLY|O_CREAT' value of the `mode' argument
(as rmt(8) calls it) that tar emits.  The coexistence of numeric
and symbolic flag values breaks it.  More quick fixing:

--- tar-1.20/rmt/rmt.c  2010-09-22 12:12:15.000000000 +1200
+++ tar-1.20/rmt/rmt.c  2010-09-22 12:16:09.000000000 +1200
@@ -238,8 +238,14 @@ decode_open_flag (const char *mstr, int
       if (*mstr == 0)
        break;
       else if (c_isdigit (*mstr))
-       v = strtol (mstr, (char**) &p, 10);
-      else if (xlat_kw (mstr, "O_", open_flag_kw, &v, &p))
+        {
+         *pmode = strtol (mstr, (char**) &mstr, 10);
+         if (*mstr && !c_isblank (*mstr))
+           rmt_error_message (EINVAL, "invalid open mode");
+         continue;
+       }
+
+      if (xlat_kw (mstr, "O_", open_flag_kw, &v, &p))
        {
          rmt_error_message (EINVAL, "invalid open mode");
          return 1;
@@ -265,7 +271,8 @@ decode_open_flag (const char *mstr, int
          return 1;
        }
     }
-  *pmode = mode;
+  if (mode)
+    *pmode = mode;
   return 0;
 }


Now my remote tar backups seem to work again, as they did with
tar 1.20-1 and earlier.

Whatever is best to do (applying fixes like the above to the rmt
from paxutils, properly porting the original security fix from a
safe version of tar upstream, or something yet different), but
anyhow, rmt in lenny had better work at all.

Cheers,

-- 
/Awesome Walrus <walrus@amur.ru>




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#597672; Package tar. (Wed, 22 Sep 2010 06:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Wed, 22 Sep 2010 06:18:05 GMT) Full text and rfc822 format available.

Message #10 received at 597672@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Dennis Vshivkov <walrus@amur.ru>, 597672@bugs.debian.org
Subject: Re: Bug#597672: rmt broken by the security fix in 1.20-1+lenny1 version of tar
Date: Wed, 22 Sep 2010 00:15:47 -0600
[Message part 1 (text/plain, inline)]
On Wed, 22 Sep 2010 13:29:26 +1200, Dennis Vshivkov <walrus@amur.ru> wrote:
> According to the changelog, the latest version of tar package in
> lenny replaced rmt source with the one from paxutils for
> security reasons.  Unfortunately, it also made it impossible to
> use tar and rmt together.

Have you tried using a tar 1.23 version?  The rmt version I used for
1.20-1+lenny1 is the one that's shipping in the current tar source
tree.  So, I'd like to understand whether there's something about
fresher versions of tar that causes them to work better with rmt, or if
this is a general upstream problem with the rmt in tar at this point.

Bdale
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#597672; Package tar. (Wed, 22 Sep 2010 07:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dennis Vshivkov <walrus@amur.ru>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Wed, 22 Sep 2010 07:51:03 GMT) Full text and rfc822 format available.

Message #15 received at 597672@bugs.debian.org (full text, mbox):

From: Dennis Vshivkov <walrus@amur.ru>
To: Bdale Garbee <bdale@gag.com>
Cc: 597672@bugs.debian.org
Subject: Re: Bug#597672: rmt broken by the security fix in 1.20-1+lenny1 version of tar
Date: Wed, 22 Sep 2010 19:37:13 +1200
On Wed, Sep 22, 2010 at 12:15:47AM -0600, Bdale Garbee wrote:

 >> According to the changelog, the latest version of tar
 >> package in lenny replaced rmt source with the one from
 >> paxutils for security reasons.  Unfortunately, it also made
 >> it impossible to use tar and rmt together.

 > Have you tried using a tar 1.23 version?  The rmt version I
 > used for 1.20-1+lenny1 is the one that's shipping in the
 > current tar source tree.  So, I'd like to understand whether
 > there's something about fresher versions of tar that causes
 > them to work better with rmt, or if this is a general
 > upstream problem with the rmt in tar at this point.

I hadn't before.  I have just tried using rmt binary from tar
1.23-2.1 (squeeze).  It's just as broken as the one in
1.20-1+lenny1.  Using it with tar binary from the same version
of the package doesn't help either, naturally.

My bad, I misinterpreted the 1.20-1+lenny1 changelog entry,
somehow thinking that taking paxutils rmt was a Debian-specific
way of the security fix.  It indeed seems a tar upstream
problem.

However, I also found out that rmt in the paxutils upstream has
been altered a week ago to fix the buffering of stdout (but not
debug output) and parsing of the `mode' argument of `O' command.

(I found that out from Debian bug #587702, reporting essentially
the same as the one I posted, albeit with no patches.  I should
have found it first and added to it instead of posting a new
report, another bad of mine...)

So, Debian Lenny version of tar package can wait for the updated
rmt to get from paxutils upstream to tar upstream, and then
reimport it, or reimport the updated rmt directly from paxutils
upstream, or just outright apply the fixes like mine or the one
referred to in #587702.

Cheers,

-- 
/Awesome Walrus <walrus@amur.ru>




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. (Wed, 22 Sep 2010 08:39:09 GMT) Full text and rfc822 format available.

Notification sent to Dennis Vshivkov <walrus@amur.ru>:
Bug acknowledged by developer. (Wed, 22 Sep 2010 08:39:09 GMT) Full text and rfc822 format available.

Message #20 received at 597672-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 597672-close@bugs.debian.org
Subject: Bug#597672: fixed in tar 1.23-3
Date: Wed, 22 Sep 2010 08:36:11 +0000
Source: tar
Source-Version: 1.23-3

We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:

tar_1.23-3.diff.gz
  to main/t/tar/tar_1.23-3.diff.gz
tar_1.23-3.dsc
  to main/t/tar/tar_1.23-3.dsc
tar_1.23-3_i386.deb
  to main/t/tar/tar_1.23-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 597672@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Sep 2010 00:33:16 -0600
Source: tar
Binary: tar
Architecture: source i386
Version: 1.23-3
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 tar        - GNU version of the tar archiving utility
Closes: 561598 587702 597672
Changes: 
 tar (1.23-3) unstable; urgency=medium
 .
   * add xz-utils back to the Suggests list since it may not be 'required'
     forever
   * current debhelper includes trigger support, closes: #561598
   * patch from upstream to fix ability of rmt to accept mixed file mode
     representations, closes: #587702, #597672
Checksums-Sha1: 
 6951fff8f186dd0210f903745ea174626d7e4e5b 1612 tar_1.23-3.dsc
 05133e179883596abd07b417789e353135dec399 19399 tar_1.23-3.diff.gz
 fa47b144b917239e63bd811cccda9750fd2f1907 912416 tar_1.23-3_i386.deb
Checksums-Sha256: 
 b6ee7a1ad208932e6e159b699537a43c44284e1b1ef4310da74c8d4a7e157f1e 1612 tar_1.23-3.dsc
 cd1a682e61ef15beb2b25473684bb0c981938153cc1bd9ba26d7d292ae855afe 19399 tar_1.23-3.diff.gz
 3efbeff4e2a0d0ce8b4a3fc1fbc18c1e9062b3e05b76248d2b2e358bcf82c46d 912416 tar_1.23-3_i386.deb
Files: 
 c1bf4407418951e56438717f2215f1d4 1612 utils required tar_1.23-3.dsc
 fa716697beb6561d7ccedc3989a731b8 19399 utils required tar_1.23-3.diff.gz
 62b4a1f7f53c2b7264216245fc5287f6 912416 utils required tar_1.23-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTJm5nTqTYZbAldlBAQpCwBAAoTIs8ChdEnggbnvsfSuRrqLluOFe2VrF
X3/Xa4ZWnkps8VuUswA0mMHNWpSSiY0rAUUMoSwfiPhKdqU4AIUlc3jt+cK4gEEt
UmxDjvVzTWrvH7+CQ/O1gDT6Q+9hBvHbevgpgF8O0HZqEgixYfBb2+pRgEKcssiQ
ShtYF8AVQKr0Ez13R0U/OuJA1Mui8fmX8K0wV1nrXPw8ZGQzzOxygbwOaLhaHQak
SPUou+zky6oOUZrnVn1Fb5i/GaahEMVGC+ZahM/ei7HFrQXeGOWL/hoeHTwPKCn0
LflIJwefEYQTRiosqq+zy71hRlD5lwTaEDHgOraFpPDFWxmpsmUl9Rs0pVvNIRpk
YquaiNZi35AHreiQTYKAP+3LKT5IaENUQkzlSnbJ8GnbkT/mCIxbX9hHOMs2r9B4
YZz2QINYNHnKH/1ySDOvWFif9J6KYrwmQVEx14uXArlWXJXxCc/roVIQifvBrEJc
sdjN9Z42TZbaBd9Fl8KHO/uKcd5VueUeYdiVT9R34SSBB+Et9pWvw727YHKsqnSE
kGZC7qhGBe4fV5jzKosQhvaMWVF2IlY5hChDOYKL9AFwJ3V+JVoxa9/PHpWc/v9w
oKeNZ7pbTlZ0pfnKPNG0vjMdS9TtIDqXg0DrFRiEjTSWOH99nI9EeibMzRq5Hr7n
3th4Trpih8A=
=N51f
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#597672; Package tar. (Wed, 22 Sep 2010 09:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Wed, 22 Sep 2010 09:30:03 GMT) Full text and rfc822 format available.

Message #25 received at 597672@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Dennis Vshivkov <walrus@amur.ru>, 597672@bugs.debian.org
Cc: 597672@bugs.debian.org
Subject: Re: Bug#597672: rmt broken by the security fix in 1.20-1+lenny1 version of tar
Date: Wed, 22 Sep 2010 03:26:50 -0600
[Message part 1 (text/plain, inline)]
On Wed, 22 Sep 2010 19:37:13 +1200, Dennis Vshivkov <walrus@amur.ru> wrote:
> However, I also found out that rmt in the paxutils upstream has
> been altered a week ago to fix the buffering of stdout (but not
> debug output) and parsing of the `mode' argument of `O' command.

Yes, I noticed that after sending the email .. sigh.  I've done an
upload of tar to unstable with this and a couple other bug fixes, please
give it a try if you can and let me know if it solves your problem.  If
it does, then I'll find time to patch the lenny version with the same
fix to rmt. 

Bdale
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#597672; Package tar. (Thu, 23 Sep 2010 00:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dennis Vshivkov <walrus@amur.ru>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Thu, 23 Sep 2010 00:54:03 GMT) Full text and rfc822 format available.

Message #30 received at 597672@bugs.debian.org (full text, mbox):

From: Dennis Vshivkov <walrus@amur.ru>
To: Bdale Garbee <bdale@gag.com>
Cc: 597672@bugs.debian.org
Subject: Re: Bug#597672: rmt broken by the security fix in 1.20-1+lenny1 version of tar
Date: Thu, 23 Sep 2010 12:50:55 +1200
On Wed, Sep 22, 2010 at 03:26:50AM -0600, Bdale Garbee wrote:

 >> However, I also found out that rmt in the paxutils upstream
 >> has been altered a week ago to fix the buffering of stdout
 >> (but not debug output) and parsing of the `mode' argument of
 >> `O' command.

 > Yes, I noticed that after sending the email .. sigh.  I've
 > done an upload of tar to unstable with this and a couple
 > other bug fixes, please give it a try if you can and let me
 > know if it solves your problem.  If it does, then I'll find
 > time to patch the lenny version with the same fix to rmt. 

I have just given rmt from your fresh tar 1.23-3 (unstable) a
quick try, and can confirm that it seems to work with tar from
the same and previous package versions, solving my problem just
fine.  It should be OK to patch the lenny version with the fix.

Thanks,

-- 
/Awesome Walrus <walrus@amur.ru>




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 21 Oct 2010 07:33:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:54:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.