Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 189682

Summary: app-arch/tar < 1.18-r2 Directory traversal vulnerability (CVE-2007-4131)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, bernd, chainsaw, clmason
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
tar-1.15.1-alt-contains_dot_dot.diff none

Description Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 09:37:26 UTC
There is a  directory traversal vulnerability in tar that can be exploited by files in an archive that have "foo//.." as a filename.
The attached patch was committed upstream.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 09:38:06 UTC
Created attachment 128748 [details, diff]
tar-1.15.1-alt-contains_dot_dot.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 20:38:02 UTC
base-system please advise and patch as necessary.
Comment 3 Roy Marples (RETIRED) gentoo-dev 2007-08-22 09:18:01 UTC
1.17-r1 and 1.18-r1 have been added to the tree with this patch. Older versions have now been punted.

1.17 is stable across all arches and 1.18 is in the process of being stabled on bug #184453.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-22 16:52:41 UTC
Arches please test and mark stable. Target keywords are:

"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-22 17:54:53 UTC
sparc stable for 1.18-r2 (which is probably the one you want?)
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-22 18:29:08 UTC
ppc stable
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2007-08-22 20:34:19 UTC
x86 done
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-08-22 22:31:47 UTC
amd64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-23 04:55:48 UTC
Stable for HPPA.
Comment 10 Joshua Kinard gentoo-dev 2007-08-23 05:41:28 UTC
mips stable.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-08-24 14:28:31 UTC
alpha/ia64 stable
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:25:52 UTC
ppc64 stable
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-01 22:22:57 UTC
Stabling seems done on all arches, time for glsa decision. I tend to vote yes.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-08 15:41:31 UTC
I vote YES.
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-09-09 22:32:52 UTC
I vote yes, the flaw is (apparently) easy to use, and tar is of course ubiquitous.  Submitting request.
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-16 10:09:44 UTC
This is GLSA 200709-09, done by falco.  Thanks to everyone, closing