You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by GitBox <gi...@apache.org> on 2022/04/13 17:23:37 UTC
[GitHub] [hadoop-site] aajisaka commented on a diff in pull request #38: Add details of CVE-2022-26612
aajisaka commented on code in PR #38:
URL: https://github.com/apache/hadoop-site/pull/38#discussion_r849724777
##########
src/cve_list.md:
##########
@@ -37,6 +37,21 @@ One paragraph summary goes here. Don't need nuts-and-bolts detail, just enough f
- **Issue Announced**:
-->
+## [CVE-2022-26612](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26612) Arbitrary file write during untar on Windows
+
+In Apache Hadoop, The `unTar` function uses `unTarUsingJava` function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same `targetDirPath` check on Unix because of the `getCanonicalPath` call. However on Windows, `getCanonicalPath` doesn't resolve symbolic links, which bypasses the check. `unpackEntries` during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows.
+
+Users of the affected versions should apply either of the following mitigations:
+* Do not run any of the YARN daemons as a user possessing the permissions to create symlinks on Windows.
+* Do not use symlinks in the tar file.
+
+- **Versions affected**: Versions below 3.2.3, 3.3.1, 3.3.2
Review Comment:
3.3.1 looks redundant. Can be removed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org