|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Raphael Marichez (falco
gentoo.org)
Date: Sat Sep 15 2007 - 17:21:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200709-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GNU Tar: Directory traversal vulnerability
Date: September 15, 2007
Bugs: #189682
ID: 200709-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A directory traversal vulnerability has been discovered in GNU Tar.
Background
==========
The GNU Tar program provides the ability to create tar archives, as
well as various other kinds of manipulation.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-arch/tar < 1.18-r2 >= 1.18-r2
Description
===========
Dmitry V. Levin discovered a directory traversal vulnerability in the
contains_dot_dot() function in file src/names.c.
Impact
======
By enticing a user to extract a specially crafted tar archive, a remote
attacker could extract files to arbitrary locations outside of the
specified directory with the permissions of the user running GNU Tar.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GNU Tar users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/tar-1.18-r2"
References
==========
[ 1 ] CVE-2007-4131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200709-09.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iQEVAwUBRuxa7zvRww8BFPxFAQKYkwf/eXXWr6JhxsyljKDHWYQkH9o0IzGcw0gn
KGU3ahM+ncprzX1aXq7akCUjgPmXyL344aaay9Dp5WBy9KGrv14VdmpCQRYPy6q8
D8b2UcEiwbVx3ZJ/GtdZacaRJvDTZ1S3DvpiuQ40H11Oa9X5h072ag6oemP8A0xF
oY9tXNfPFDQfvz27xw67QDfGg0isGDZkOkOoNa5j7qHJY+G2UtaXmkbXZn5vxJ4t
KvwdfxCh17kruvSkKnYzI4BOCsi1fBsn6uyFxCgUNlbcY3aAq01rtWBbo9dSoOGm
b1vMBSUZ53HAargYXsJ7NbnU1dHf7Jmq9SxE1ATeJ9Z//yVEVJ3a3A==
=Alm/
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]