Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201611-19 ] Tar
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Tue Nov 22, 2016 4:26 pm    Post subject: [ GLSA 201611-19 ] Tar Reply with quote

Gentoo Linux Security Advisory

Title: Tar: Extract pathname bypass (GLSA 201611-19)
Severity: normal
Exploitable: remote
Date: November 22, 2016
Bug(s): #598334
ID: 201611-19

Synopsis

A path traversal attack in Tar may lead to the remote execution of
arbitrary code.


Background

The Tar program provides the ability to create and manipulate tar
archives.


Affected Packages

Package: app-arch/tar
Vulnerable: < 1.29-r1
Unaffected: >= 1.29-r1
Architectures: All supported architectures


Description

Tar attempts to avoid path traversal attacks by removing offending parts
of the element name at extract. This sanitizing leads to a vulnerability
where the attacker can bypass the path name(s) specified on the command
line.


Impact

The attacker can create a crafted tar archive that, if extracted by the
victim, replaces files and directories the victim has access to in the
target directory, regardless of the path name(s) specified on the command
line.


Workaround

There is no known workaround at this time.

Resolution

All Tar users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=app-arch/tar-1.29-r1"
   


References

CVE-2016-6321
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum