In association with heise online

24 August 2007, 12:07

Vulnerability in GNU tar allows file overwriting

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Red Hat has reported a security vulnerability in GNU tar. The file archiving program contains a directory traversal vulnerability which can be exploited by specially crafted archives. For example, directory entries containing "../" can be used to overwrite arbitrary files for which the user has writing privileges.

The path search function contains_dot_dot() in the file names.c was faulty. A source code patch is provided in Red Hat's Bugzilla system that eliminates the vulnerability. The vulnerability is present in the current GNU tar Version 1.18 and previous versions. Now that Red Hat has acted, it is likely that the other Linux distributors will provide updated packages, which users should install as quickly as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit