tar vulnerability

2006.02.24
Credit: Martin Pitt
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

=========================================================== Ubuntu Security Notice USN-257-1 February 23, 2006 tar vulnerability CVE-2006-0300 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: tar The problem can be corrected by upgrading the affected package to version 1.14-2ubuntu0.1 (for Ubuntu 5.04), or 1.15.1-2ubuntu0.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user. The tar version in Ubuntu 4.10 is not affected by this vulnerability. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.di ff.gz Size/MD5: 21395 1f8f561b862e0eaa1d3d76ab5b0805cc http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.ds c Size/MD5: 568 1ac96d117355d0c6501bcfc0603d7f35 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14.orig.tar.gz Size/MD5: 1485633 3094544702b1affa32d969f0b6459663 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_am d64.deb Size/MD5: 374144 92a29882b472aae37c4f241a2b3d70b7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_i3 86.deb Size/MD5: 366426 bd8a627f95eea1d4dd38da1b8cb755a2 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_po werpc.deb Size/MD5: 377108 8d1b6600f06a051dc7236e8e65c2032f Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1. diff.gz Size/MD5: 28928 e545480fd691241448cd885504e50393 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1. dsc Size/MD5: 576 c9d9bf92c8460d314cb3320666b01294 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz Size/MD5: 2204322 d87021366fe6488e9dc398fcdcb6ed7d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_ amd64.deb Size/MD5: 531590 9f7a550698b0a138f4d92ec06ecfec96 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_ i386.deb Size/MD5: 519510 fd362a5872f6924e491e2caf7639162b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_ powerpc.deb Size/MD5: 533538 c8148419548837909a81da6983af2964 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD/cH6DecnbV4Fd/IRAk3oAJ0ZfcbllOf0EePF9fbKs4HRPktmCQCg7svG TYGljxHntymH5GdKMhFJK3I= =QI2i -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top