Gentoo Archives: gentoo-commits

From: "Raphael Marichez (falco)" <falco@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200709-09.xml
Date: Sat, 15 Sep 2007 22:30:51
falco       07/09/15 22:23:21

  Added:                glsa-200709-09.xml
  GLSA 200709-09

Revision  Changes    Path
1.1                  xml/htdocs/security/en/glsa/glsa-200709-09.xml

file :

Index: glsa-200709-09.xml
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

<glsa id="200709-09">
  <title>GNU Tar: Directory traversal vulnerability</title>
    A directory traversal vulnerability has been discovered in GNU Tar.
  <product type="ebuild">tar</product>
  <announced>September 15, 2007</announced>
  <revised>September 15, 2007: 01</revised>
    <package name="app-arch/tar" auto="yes" arch="*">
      <unaffected range="ge">1.18-r2</unaffected>
      <vulnerable range="lt">1.18-r2</vulnerable>
    The GNU Tar program provides the ability to create tar archives, as
    well as various other kinds of manipulation.
    Dmitry V. Levin discovered a directory traversal vulnerability in the
    contains_dot_dot() function in file src/names.c.
  <impact type="normal">
    By enticing a user to extract a specially crafted tar archive, a remote
    attacker could extract files to arbitrary locations outside of the
    specified directory with the permissions of the user running GNU Tar.
    There is no known workaround at this time.
    All GNU Tar users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=app-arch/tar-1.18-r2&quot;</code>
    <uri link="">CVE-2007-4131</uri>
  <metadata tag="submitter" timestamp="Thu, 13 Sep 2007 18:11:35 +0000">
  <metadata tag="bugReady" timestamp="Thu, 13 Sep 2007 18:49:13 +0000">

gentoo-commits@g.o mailing list