tar -- input validation error

ID DSA-1223
Type debian
Reporter Debian
Modified 2006-12-01T00:00:00


Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link.

For the stable distribution (sarge), this problem has been fixed in version 1.14-2.3.

For the unstable distribution (sid) and the forthcoming stable release (etch), this problem will be fixed in version 1.16-2.

We recommend that you upgrade your tar package.