Debian Security Advisory
DSA-3702-1 tar -- security update
- Date Reported:
- 01 Nov 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 842339.
In Mitre's CVE dictionary: CVE-2016-6321.
- More information:
Harry Sintonen discovered that GNU tar does not properly handle member names containing '..', thus allowing an attacker to bypass the path names specified on the command line and replace files and directories in the target directory.
For the stable distribution (jessie), this problem has been fixed in version 1.27.1-2+deb8u1.
For the unstable distribution (sid), this problem has been fixed in version 1.29b-1.1.
We recommend that you upgrade your tar packages.