Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 189682 - app-arch/tar < 1.18-r2 Directory traversal vulnerability (CVE-2007-4131)
Summary: app-arch/tar < 1.18-r2 Directory traversal vulnerability (CVE-2007-4131)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
Depends on:
Reported: 2007-08-21 09:37 UTC by Robert Buchholz (RETIRED)
Modified: 2007-09-16 10:09 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

tar-1.15.1-alt-contains_dot_dot.diff (tar-1.15.1-alt-contains_dot_dot.diff,531 bytes, patch)
2007-08-21 09:38 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 09:37:26 UTC
There is a  directory traversal vulnerability in tar that can be exploited by files in an archive that have "foo//.." as a filename.
The attached patch was committed upstream.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-08-21 09:38:06 UTC
Created attachment 128748 [details, diff]
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 20:38:02 UTC
base-system please advise and patch as necessary.
Comment 3 Roy Marples (RETIRED) gentoo-dev 2007-08-22 09:18:01 UTC
1.17-r1 and 1.18-r1 have been added to the tree with this patch. Older versions have now been punted.

1.17 is stable across all arches and 1.18 is in the process of being stabled on bug #184453.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-22 16:52:41 UTC
Arches please test and mark stable. Target keywords are:

"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-22 17:54:53 UTC
sparc stable for 1.18-r2 (which is probably the one you want?)
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-22 18:29:08 UTC
ppc stable
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2007-08-22 20:34:19 UTC
x86 done
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-08-22 22:31:47 UTC
amd64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-23 04:55:48 UTC
Stable for HPPA.
Comment 10 Joshua Kinard gentoo-dev 2007-08-23 05:41:28 UTC
mips stable.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-08-24 14:28:31 UTC
alpha/ia64 stable
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:25:52 UTC
ppc64 stable
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-01 22:22:57 UTC
Stabling seems done on all arches, time for glsa decision. I tend to vote yes.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-08 15:41:31 UTC
I vote YES.
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-09-09 22:32:52 UTC
I vote yes, the flaw is (apparently) easy to use, and tar is of course ubiquitous.  Submitting request.
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-16 10:09:44 UTC
This is GLSA 200709-09, done by falco.  Thanks to everyone, closing