In association with heise online

16 July 2007, 08:34

Code injection through tar archives in FreeBSD

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of FreeBSD have released an update to fix vulnerabilities in the libarchive library, which is used, for instance, by the tar command for stream processing. These security holes may cause programs to enter an infinite loop, crash or execute arbitrary code.

Since tar archives are very common and widespread, administrators are advised to update their distribution. The FreeBSD developers recommend an update to versions 5-STABLE, 6-STABLE or to the RELENG_6_2, RELENG_6_1 and RELENG_5_5 security branch dated after the correction date, i.e., July 12, 2007.

Currently, FreeBSD uses the GNU version of cpio, which does not access libarchive, and so the cpio command is not susceptible to the flaw. A cpio version based on libarchive is still under development.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit