Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563756 (CVE-2011-5325) - <sys-apps/busybox-1.28.0: tar directory traversal
Summary: <sys-apps/busybox-1.28.0: tar directory traversal
Alias: CVE-2011-5325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa+ cve]
Depends on: CVE-2017-16544
  Show dependency tree
Reported: 2015-10-22 07:52 UTC by Agostino Sarubbo
Modified: 2018-03-26 16:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-22 07:52:39 UTC
From ${URL} :

Hello - The BusyBox implementation of tar will extract a symlink that
points outside of the current working directory and then follow that
symlink when extracting other files. This allows for a directory
traversal attack when extracting untrusted tarballs.

This behavior was documented in the BusyBox source with the following
2011 commit:

I've created an upstream bug report:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-08 23:01:05 UTC
From $URL:

Thanks for detailing this bug. I can now confirm that this has been exploited "in the wild" to root / jailbreak DJI Mavic, Spark, Inspire2, and Phantom 4 drone series. 

Exploit here for posterity

Thanks for pushing to get this patched. It has festered for a while.
Comment 3 Larry the Git Cow gentoo-dev 2018-01-24 04:16:38 UTC
The bug has been referenced in the following commit(s):

commit 7271c533c68a35f72cdb907d3e2743275505c5c6
Author:     Mike Frysinger <>
AuthorDate: 2018-01-24 04:11:19 +0000
Commit:     Mike Frysinger <>
CommitDate: 2018-01-24 04:14:46 +0000

    sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258

 sys-apps/busybox/Manifest              |   1 +
 sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++
 2 files changed, 311 insertions(+)}
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-03-26 16:27:01 UTC
This issue was resolved and addressed in
 GLSA 201803-12 at
by GLSA coordinator Aaron Bauman (b-man).