Arch Linux Security Advisory ASA-201611-11

Severity: Medium
Date : 2016-11-03
CVE-ID : CVE-2016-6321
Package : tar
Type : arbitrary file overwrite
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE

Summary

The package tar before version 1.29-2 is vulnerable to arbitrary file
overwrite.

Resolution

Upgrade to 1.29-2.

pacman -Syu “tar>=1.29-2”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

The GNU tar archiver attempts to avoid path traversal attacks by
removing offending parts of the element name at extract. This
sanitizing leads to a vulnerability where the attacker can bypass the
path name(s) specified on the command line leading to arbitrary
overwrite of files and directories inside the target directory.

Impact

A remote attacker is able to use a specially crafted tar archive that,
when extracted by the victim, replaces files and directories regardless
of the path name(s) specified.

References

https://bugs.archlinux.org/task/51563
http://seclists.org/fulldisclosure/2016/Oct/96
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea053
https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt
https://access.redhat.com/security/cve/CVE-2016-6321