Lucene search

K

Gentoo FoundationGLSA-200709-09

HistorySep 15, 2007 - 12:00 a.m.

GNU Tar: Directory traversal vulnerability

2007-09-1500:00:00

Gentoo Foundation

security.gentoo.org

15

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.02 Low

EPSS

Percentile

88.9%

Background

The GNU Tar program provides the ability to create tar archives, as well as various other kinds of manipulation.

Description

Dmitry V. Levin discovered a directory traversal vulnerability in the contains_dot_dot() function in file src/names.c.

Impact

By enticing a user to extract a specially crafted tar archive, a remote attacker could extract files to arbitrary locations outside of the specified directory with the permissions of the user running GNU Tar.

Workaround

There is no known workaround at this time.

Resolution

All GNU Tar users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=app-arch/tar-1.18-r2"

OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-arch/tar< 1.18-r2UNKNOWN

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.02 Low

EPSS

Percentile

88.9%

Related for GLSA-200709-09

openvas25 freebsd1 fedora3 cvelist1 nessus20 centos1 cve1 ubuntucve1 redhat1 ubuntu1 prion1 seebug1 nvd1 debiancve1 oraclelinux1 veracode1 freebsd_advisory1 debian1 osv1 securityvulns2