Ubuntu: tar vulnerability

    Date27 Nov 2006
    CategoryUbuntu
    3551
    Posted ByLinuxSecurity Advisories
    Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.
    =========================================================== 
    Ubuntu Security Notice USN-385-1          November 27, 2006
    tar vulnerability
    CVE-2006-6097
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 5.10
    Ubuntu 6.06 LTS
    Ubuntu 6.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 5.10:
      tar                                      1.15.1-2ubuntu0.2
    
    Ubuntu 6.06 LTS:
      tar                                      1.15.1-2ubuntu2.1
    
    Ubuntu 6.10:
      tar                                      1.15.91-2ubuntu0.3
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    Teemu Salmela discovered that tar still handled the deprecated 
    GNUTYPE_NAMES record type.  This record type could be used to create 
    symlinks that would be followed while unpacking a tar archive.  If a 
    user or an automated system were tricked into unpacking a specially 
    crafted tar file, arbitrary files could be overwritten with user 
    privileges.
    
    
    Updated packages for Ubuntu 5.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2.diff.gz
          Size/MD5:    29654 155f4628f9fef19aa20e3927a857fd0d
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2.dsc
          Size/MD5:      574 22006def60be25510613a955ca7e90d2
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz
          Size/MD5:  2204322 d87021366fe6488e9dc398fcdcb6ed7d
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_amd64.deb
          Size/MD5:   531932 d507bfc76276c9cc43ebf56f9d69038a
    
      i386 architecture (x86 compatible Intel/AMD)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_i386.deb
          Size/MD5:   519858 ed19ee38f074d841366737e880a5c626
    
      powerpc architecture (Apple Macintosh G3/G4/G5)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_powerpc.deb
          Size/MD5:   533886 5d0d477d0bbe5589f5a3181144099c92
    
      sparc architecture (Sun SPARC/UltraSPARC)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_sparc.deb
          Size/MD5:   525056 1fa9aa25fbbc81c4fcf767c28b4eb991
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1.diff.gz
          Size/MD5:    30078 32b5ca833a90aa5bcbc3941a07dbf81a
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1.dsc
          Size/MD5:      574 c68c40e5d79b9afd13626694b0bcb2d4
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz
          Size/MD5:  2204322 d87021366fe6488e9dc398fcdcb6ed7d
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_amd64.deb
          Size/MD5:   532022 ddcb1e2e8770645f683b462b095ff851
    
      i386 architecture (x86 compatible Intel/AMD)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_i386.deb
          Size/MD5:   519384 be7fa1ac67587e1ef574ed457e967454
    
      powerpc architecture (Apple Macintosh G3/G4/G5)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_powerpc.deb
          Size/MD5:   533876 4b9404feef3aaaf23cf28abd1432517b
    
      sparc architecture (Sun SPARC/UltraSPARC)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_sparc.deb
          Size/MD5:   523654 1164fe3b20e4f530df21258907f3cd9d
    
    Updated packages for Ubuntu 6.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3.diff.gz
          Size/MD5:    16849 1776a8a649f3fec68c6990accd5f47c8
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3.dsc
          Size/MD5:      596 58f9bea1622976afa48a7eb61e8945e8
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91.orig.tar.gz
          Size/MD5:  2016367 e2338a16b0464ec03826e000dae990a0
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_amd64.deb
          Size/MD5:   361636 9580b1e23dc58caf6af9543dbe045dca
    
      i386 architecture (x86 compatible Intel/AMD)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_i386.deb
          Size/MD5:   346396 4bb2868d5fc2855a8242c6c89c7afb12
    
      powerpc architecture (Apple Macintosh G3/G4/G5)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_powerpc.deb
          Size/MD5:   365486 79ddf1293d8e759fd96fee0c612d6000
    
      sparc architecture (Sun SPARC/UltraSPARC)
    
        http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_sparc.deb
          Size/MD5:   348136 ffdb48742e8bc415682f18d6c74f70c2
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.