Debian: DSA-3562-1 Critical Tardiff Shell Injection and File Overwrite
debian
May 1, 2016
Several vulnerabilities were discovered in tardiff, a tarball comparison tool
Topics Covered
Summary
CVE-2015-0857
Rainer Mueller and Florian Weimer discovered that tardiff is prone
to shell command injections via shell meta-characters in filenames
in tar files or via shell meta-characters in the tar filename
itself.
CVE-2015-0858
Florian Weimer discovered that tardiff uses predictable temporary
directories for unpacking tarballs. A malicious user can use this
flaw to overwrite files with permissions of the user running the
tardiff command line tool.
For the stable distribution (jessie), these problems have been fixed in
version 0.1-2+deb8u2.
For the unstable distribution (sid), these problems have been fixed in
version 0.1-5 and partially in earlier versions.
We recommend that you upgrade your tardiff packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: tardiff
CVE ID: CVE-2015-0857 CVE-2015-0858
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!