Joined: 12 May 2004
|Posted: Wed Dec 10, 2008 6:26 pm Post subject: [ GLSA 200812-10 ] Archive::Tar: Directory traversal vulnera
|Gentoo Linux Security Advisory
Title: Archive::Tar: Directory traversal vulnerability (GLSA 200812-10)
Date: December 10, 2008
A directory traversal vulnerability has been discovered in Archive::Tar.
Archive::Tar is a Perl module for creation and manipulation of tar
Vulnerable: < 1.40
Unaffected: >= 1.40
Architectures: All supported architectures
Jonathan Smith of rPath reported that Archive::Tar does not check for
".." in file names.
A remote attacker could entice a user or automated system to extract a
specially crafted tar archive, overwriting files at arbitrary locations
outside of the specified directory.
There is no known workaround at this time.
All Archive::Tar users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/Archive-Tar-1.40"
Last edited by GLSA on Tue May 31, 2011 4:27 am; edited 2 times in total