Archive::Tar: Directory traversal vulnerability — GLSA 200812-10

A directory traversal vulnerability has been discovered in Archive::Tar.

Affected Packages

perl-core/Archive-Tar on all architectures
Affected versions < 1.40
Unaffected versions >= 1.40

Background

Archive::Tar is a Perl module for creation and manipulation of tar files.

Description

Jonathan Smith of rPath reported that Archive::Tar does not check for ".." in file names.

Impact

A remote attacker could entice a user or automated system to extract a specially crafted tar archive, overwriting files at arbitrary locations outside of the specified directory.

Workaround

There is no known workaround at this time.

Resolution

All Archive::Tar users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=perl-core/Archive-Tar-1.40"

References

Release Date
December 10, 2008

Latest Revision
December 10, 2008: 01

Severity
normal

Exploitable
remote

Bugzilla entries