search

delphix / linux-pkg

Framework to build custom packages for the Delphix Appliance
Apache License 2.0
4 stars 31 forks source link

DLPX-85006 CVE-2022-48303 found in virtualization affected package tar_1.30+dfsg-7ubuntu0.20.04.2 #277

Closed prakashsurya closed 1 year ago

prakashsurya commented 1 year ago

Testing: BB pre-checkin

See here for a run with a "6.0/release" based VM with my changes applied (i.e. updated "tar" package installed).

Testing: package build

$ ./buildpkg.sh misc-debs
...
Success: Package misc-debs has been built successfully.
Build products are in /export/home/delphix/linux-pkg/packages/misc-debs/tmp/artifacts

$ dpkg -c ./packages/misc-debs/tmp/artifacts/tar_1.30+dfsg-7ubuntu0.20.04.3_amd64.deb
drwxr-xr-x root/root         0 2023-02-09 17:17 ./
drwxr-xr-x root/root         0 2023-02-09 17:17 ./bin/
-rwxr-xr-x root/root    448112 2023-02-09 17:17 ./bin/tar
drwxr-xr-x root/root         0 2023-02-09 17:17 ./etc/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/lib/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/lib/mime/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/lib/mime/packages/
-rw-r--r-- root/root       327 2020-03-14 20:24 ./usr/lib/mime/packages/tar
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/sbin/
-rwxr-xr-x root/root     59952 2023-02-09 17:17 ./usr/sbin/rmt-tar
-rwxr-xr-x root/root       936 2023-02-09 17:17 ./usr/sbin/tarcat
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/share/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/share/doc/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/share/doc/tar/
-rw-r--r-- root/root       601 2018-04-29 17:45 ./usr/share/doc/tar/AUTHORS
-rw-r--r-- root/root     21984 2018-04-29 17:45 ./usr/share/doc/tar/NEWS.gz
-rw-r--r-- root/root       849 2020-03-14 20:24 ./usr/share/doc/tar/README.Debian
-rw-r--r-- root/root     10596 2018-04-29 17:45 ./usr/share/doc/tar/THANKS.gz
-rw-r--r-- root/root      1680 2023-02-09 17:17 ./usr/share/doc/tar/changelog.Debian.gz
-rw-r--r-- root/root      1486 2020-03-14 20:24 ./usr/share/doc/tar/copyright
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/share/man/
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/share/man/man1/
-rw-r--r-- root/root     13470 2023-02-09 17:17 ./usr/share/man/man1/tar.1.gz
-rw-r--r-- root/root       366 2023-02-09 17:17 ./usr/share/man/man1/tarcat.1.gz
drwxr-xr-x root/root         0 2023-02-09 17:17 ./usr/share/man/man8/
-rw-r--r-- root/root      2392 2023-02-09 17:17 ./usr/share/man/man8/rmt-tar.8.gz
lrwxrwxrwx root/root         0 2023-02-09 17:17 ./etc/rmt -> /usr/sbin/rmt

Testing: package installation

$ dpkg -l | awk '$2 == "tar"'
ii  tar                                                       1.30+dfsg-7ubuntu0.20.04.2                 amd64        GNU version of the tar archiving utility

$ sudo apt-get install ./tar_1.30+dfsg-7ubuntu0.20.04.3_amd64.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'tar' instead of './tar_1.30+dfsg-7ubuntu0.20.04.3_amd64.deb'
Suggested packages:
  ncompress tar-scripts tar-doc
The following packages will be upgraded:
  tar
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/240 kB of archives.
After this operation, 4,096 B of additional disk space will be used.
Get:1 /export/home/delphix/tar_1.30+dfsg-7ubuntu0.20.04.3_amd64.deb tar amd64 1.30+dfsg-7ubuntu0.20.04.3 [240 kB]
(Reading database ... 211163 files and directories currently installed.)
Preparing to unpack .../tar_1.30+dfsg-7ubuntu0.20.04.3_amd64.deb ...
Unpacking tar (1.30+dfsg-7ubuntu0.20.04.3) over (1.30+dfsg-7ubuntu0.20.04.2) ...
Setting up tar (1.30+dfsg-7ubuntu0.20.04.3) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for mime-support (3.64ubuntu1) ...

$ dpkg -l | awk '$2 == "tar"'
ii  tar                                                       1.30+dfsg-7ubuntu0.20.04.3                 amd64        GNU version of the tar archiving utility
prakashsurya commented 1 year ago

we would have created a release tag on this gate for 9.0 which will have this file right?

Pavel wrote the comment, but I think it's referring to the file in artifactory.. which is not tagged.. i.e. don't remove the file in artifactory (even once the "current" release doesn't use it), since older releases may attempt to use it (e.g. a hotfix build)