Vulnerability CVE-2013-4420: Information
Description
Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
Severity: MEDIUM (5.8)
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
libtar | sisyphus | 1.2.20-alt2.git.6d0ab4c | 1.2.20-alt4.git.6d0ab4c | ALT-PU-2020-3172-1 | 260678 | Fixed |
libtar | p10 | 1.2.20-alt2.git.6d0ab4c | 1.2.20-alt4.git.6d0ab4c | ALT-PU-2020-3172-1 | 260678 | Fixed |
libtar | p9 | 1.2.20-alt2.git.6d0ab4c | 1.2.20-alt2.git.6d0ab4c | ALT-PU-2020-3184-1 | 260680 | Fixed |
libtar | c10f1 | 1.2.20-alt2.git.6d0ab4c | 1.2.20-alt2.git.6d0ab4c | ALT-PU-2020-3172-1 | 260678 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860 | |
[libtar] 20150213 Fw: Re: Validation of file names | |
DSA-2863 |