GNU Tar: User-assisted execution of arbitrary code — GLSA 201111-11

A buffer overflow flaw in GNU Tar could result in execution of arbitrary code or a Denial of Service.

Affected Packages

app-arch/tar on all architectures
Affected versions < 1.23
Unaffected versions >= 1.23

Background

GNU Tar is a utility to create archives as well as add and extract files from archives.

Description

GNU Tar is vulnerable to a boundary error in the rmt_read__ function in lib/rtapelib.c, which could cause a heap-based buffer overflow.

Impact

A remote attacker could entice the user to load a specially crafted archive, possibly resulting in the execution of arbitrary code or a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All GNU Tar users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/tar-1.23"
 

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since July 18, 2010. It is likely that your system is already no longer affected by this issue.

References

Release Date
November 20, 2011

Latest Revision
November 20, 2011: 1

Severity
normal

Exploitable
remote

Bugzilla entries