12:50 PM - GNU tar
Teemu Salmela has reported a security issue in GNU tar, which can be
exploited by malicious people to overwrite arbitrary files.
The security issue is caused due to the "extract_archive()" function
in extract.c and the "extract_mangle()" function in mangle.c still
processing the deprecated "GNUTYPE_NAMES" record type containing
symbolic links. This can be exploited to overwrite arbitrary files by
e.g. tricking a user into unpacking a specially crafted tar file.
The security issue is reported in version 1.15.1 and 1.16. Other
versions may also be affected.
---
MidnightBSD mports included 1.15.1 which is vulnerable.
0 comments