Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487686 (CVE-2013-4420) - <dev-libs/libtar-1.2.20-r3: "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities (CVE-2013-4420)
Summary: <dev-libs/libtar-1.2.20-r3: "tar_extract_glob()" and "tar_extract_all()" Dire...
Alias: CVE-2013-4420
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2013-10-11 19:00 UTC by Agostino Sarubbo
Modified: 2015-11-09 22:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

libtar-CVE-2013-4420.patch (libtar-CVE-2013-4420.patch,2.40 KB, patch)
2015-07-21 04:08 UTC, Nick Andrade
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-11 19:00:56 UTC
From ${URL} :


Two vulnerabilities have been reported in libtar, which can be exploited by malicious people to 
manipulate certain data.

The vulnerabilities are caused due to insufficient verification of path prefixes in the 
"tar_extract_glob()" and "tar_extract_all()" functions and can be exploited to overwrite arbitrary 

The vulnerabilities are reported in versions 1.2.20 and prior.

No official solution is currently available.

Provided and/or discovered by:
Timo Warns

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-02-20 19:55:53 UTC
CVE-2013-4420 (
  Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and
  (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote
  attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-20 20:16:24 UTC
Added to existing glsa draft.
Comment 3 Sergey Popov gentoo-dev 2014-02-21 07:29:00 UTC
Reverted adding to GLSA request - this issue is NOT fixed in 1.2.20
Comment 4 Nick Andrade 2015-07-21 04:08:55 UTC
Created attachment 407310 [details, diff]

Patch is derived form the Debian fix for the same CVE (  

I tested the patch using the steps documented in the Mageia bug ( and can confirm the patch fixes the issue.
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2015-07-21 05:37:20 UTC
Package has a new proxy maintainer.

*libtar-1.2.20-r3 (21 Jul 2015)

  21 Jul 2015; Ian Delaney <> +files/CVE-2013-4420.patch,
  revbump; sec. patch from Bug 487686, sourced, prepared and runtested by proxy
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2015-07-25 13:40:34 UTC
Arches CC'd. Please proceed with stabilisation given 1.2.20-r2 has been made stable.
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-28 07:37:55 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 x86"
Comment 8 Agostino Sarubbo gentoo-dev 2015-07-28 08:05:54 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-28 08:06:20 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-30 15:19:07 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-08-26 07:29:42 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2015-08-26 08:52:43 UTC
This is not stable for ppc64 yet:

Keywords for dev-libs/libtar:
          |                               | u   |  
          | a a   a         n   p     s   | n   |  
          | l m   r h i m m i   p s   p   | u s | r
          | p d a m p a 6 i o p c 3   a x | s l | e
          | h 6 r 6 p 6 8 p s p 6 9 s r 8 | e o | p
          | a 4 m 4 a 4 k s 2 c 4 0 h c 6 | d t | o
1.2.20-r2 | o + o o o o o o o + + o o ~ + | o 0 | gentoo
1.2.20-r3 | o + o o o o o o o + ~ o o + + | o   | gentoo
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-06 06:18:59 UTC
Stable for PPC64.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:01:52 UTC
Vote: NO.
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 22:23:59 UTC
GLSA Vote: No