Security Information / 2016 / Security Information -- DSA-3702-1 tar

Debian Security Advisory

DSA-3702-1 tar -- security update

Date Reported:

01 Nov 2016

Affected Packages:

tar

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 842339.
In Mitre's CVE dictionary: CVE-2016-6321.

More information:

Harry Sintonen discovered that GNU tar does not properly handle member names containing '..', thus allowing an attacker to bypass the path names specified on the command line and replace files and directories in the target directory.

For the stable distribution (jessie), this problem has been fixed in version 1.27.1-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 1.29b-1.1.

We recommend that you upgrade your tar packages.