Code injection through tar archives in FreeBSD
The developers of FreeBSD have released an update to fix vulnerabilities in the libarchive library, which is used, for instance, by the tar command for stream processing. These security holes may cause programs to enter an infinite loop, crash or execute arbitrary code.
Since tar archives are very common and widespread, administrators are advised to update their distribution. The FreeBSD developers recommend an update to versions 5-STABLE, 6-STABLE or to the RELENG_6_2, RELENG_6_1 and RELENG_5_5 security branch dated after the correction date, i.e., July 12, 2007.
Currently, FreeBSD uses the GNU version of cpio, which does not access libarchive, and so the cpio command is not susceptible to the flaw. A cpio version based on libarchive is still under development.
- Errors handling corrupt tar files in libarchive, security advisory by the FreeBSD developers
- Homepage with current sources of libarchive
(mba)