GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Dec 10, 2008 6:26 pm Post subject: [ GLSA 200812-10 ] Archive::Tar: Directory traversal vulnera |
 |
|
Gentoo Linux Security Advisory
Title: Archive::Tar: Directory traversal vulnerability (GLSA 200812-10)
Severity: normal
Exploitable: remote
Date: December 10, 2008
Bug(s): #192989
ID: 200812-10
Synopsis
A directory traversal vulnerability has been discovered in Archive::Tar.
Background
Archive::Tar is a Perl module for creation and manipulation of tar
files.
Affected Packages
Package: perl-core/Archive-Tar
Vulnerable: < 1.40
Unaffected: >= 1.40
Architectures: All supported architectures
Description
Jonathan Smith of rPath reported that Archive::Tar does not check for
".." in file names.
Impact
A remote attacker could entice a user or automated system to extract a
specially crafted tar archive, overwriting files at arbitrary locations
outside of the specified directory.
Workaround
There is no known workaround at this time.
Resolution
All Archive::Tar users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/Archive-Tar-1.40" |
References
CVE-2007-4829
Last edited by GLSA on Tue May 31, 2011 4:27 am; edited 2 times in total |
|
News & Announcements
