Vulnerabilities > CVE-2006-0300 - Buffer Overflow vulnerability in GNU Tar Invalid Headers
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0089_TAR.NASL description The remote NewStart CGSL host, running version MAIN 4.06, has tar packages installed that are affected by multiple vulnerabilities: - Buffer overflow in tar 1.14 through 1.15.90 allows user- assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. (CVE-2006-0300) - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. (CVE-2006-6097) - Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. (CVE-2007-4131) - Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. (CVE-2007-4476) - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. (CVE-2010-0624) - Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. (CVE-2016-6321) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127307 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127307 title NewStart CGSL MAIN 4.06 : tar Multiple Vulnerabilities (NS-SA-2019-0089) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0089. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127307); script_version("1.3"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id( "CVE-2006-0300", "CVE-2006-6097", "CVE-2007-4131", "CVE-2007-4476", "CVE-2010-0624", "CVE-2016-6321" ); script_name(english:"NewStart CGSL MAIN 4.06 : tar Multiple Vulnerabilities (NS-SA-2019-0089)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version MAIN 4.06, has tar packages installed that are affected by multiple vulnerabilities: - Buffer overflow in tar 1.14 through 1.15.90 allows user- assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. (CVE-2006-0300) - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. (CVE-2006-6097) - Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. (CVE-2007-4131) - Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. (CVE-2007-4476) - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. (CVE-2010-0624) - Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. (CVE-2016-6321) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0089"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL tar packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-4476"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL MAIN 4.06") audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL MAIN 4.06": [ "tar-1.23-15.el6_8.cgslv4_6.0.1.gff7e116", "tar-debuginfo-1.23-15.el6_8.cgslv4_6.0.1.gff7e116" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar"); }NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_118192.NASL description SunOS 5.9_x86: gtar patch. Date this patch was last updated by Sun : Apr/19/10 last seen 2020-06-01 modified 2020-06-02 plugin id 35001 published 2008-12-02 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35001 title Solaris 9 (x86) : 118192-05 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(35001); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_cve_id("CVE-2006-0300"); script_name(english:"Solaris 9 (x86) : 118192-05"); script_summary(english:"Check for patch 118192-05"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 118192-05" ); script_set_attribute( attribute:"description", value: "SunOS 5.9_x86: gtar patch. Date this patch was last updated by Sun : Apr/19/10" ); script_set_attribute( attribute:"see_also", value:"https://getupdates.oracle.com/readme/118192-05" ); script_set_attribute( attribute:"solution", value:"You should install this patch for your system to be up-to-date." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.9_x86", arch:"i386", patch:"118192-05", obsoleted_by:"", package:"SUNWgtar", version:"11.9.0,REV=2002.03.02.00.30") < 0) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:solaris_get_report()); else security_warning(0); exit(0); } audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-257-1.NASL description Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user. The tar version in Ubuntu 4.10 is not affected by this vulnerability. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21065 published 2006-03-13 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21065 title Ubuntu 5.04 / 5.10 : tar vulnerability (USN-257-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-257-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(21065); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2006-0300"); script_xref(name:"USN", value:"257-1"); script_name(english:"Ubuntu 5.04 / 5.10 : tar vulnerability (USN-257-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user. The tar version in Ubuntu 4.10 is not affected by this vulnerability. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected tar package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.04|5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.04 / 5.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.04", pkgname:"tar", pkgver:"1.14-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"tar", pkgver:"1.15.1-2ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-046.NASL description Gnu tar versions 1.14 and above have a buffer overflow vulnerability and some other issues including : - Carefully crafted invalid headers can cause buffer overrun. - Invalid header fields go undiagnosed. - Some valid time strings are ignored. The updated packages have been patched to address this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 20964 published 2006-02-22 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20964 title Mandrake Linux Security Advisory : tar (MDKSA-2006:046) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-004.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2007-004 applied. This update fixes security flaws in the following applications : AFP Client AirPort CarbonCore diskdev_cmds fetchmail ftpd gnutar Help Viewer HID Family Installer Kerberos Libinfo Login Window network_cmds SMB System Configuration URLMount Video Conference WebDAV last seen 2020-06-01 modified 2020-06-02 plugin id 25081 published 2007-04-21 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25081 title Mac OS X Multiple Vulnerabilities (Security Update 2007-004) NASL family Solaris Local Security Checks NASL id SOLARIS10_139099-07.NASL description SunOS 5.10: gtar patch. Date this patch was last updated by Sun : Jul/16/18 last seen 2020-06-01 modified 2020-06-02 plugin id 111115 published 2018-07-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111115 title Solaris 10 (sparc) : 139099-07 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-987.NASL description Jim Meyering discovered several buffer overflows in GNU tar, which may lead to the execution of arbitrary code through specially crafted tar archives. last seen 2020-06-01 modified 2020-06-02 plugin id 22853 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22853 title Debian DSA-987-1 : tar - buffer overflow NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_139100-04.NASL description SunOS 5.10_x86: gtar patch. Date this patch was last updated by Sun : Apr/19/10 last seen 2020-06-01 modified 2020-06-02 plugin id 108007 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108007 title Solaris 10 (x86) : 139100-04 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_139100-07.NASL description SunOS 5.10_x86: gtar patch. Date this patch was last updated by Sun : Jul/16/18 last seen 2020-06-01 modified 2020-06-02 plugin id 111125 published 2018-07-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111125 title Solaris 10 (x86) : 139100-07 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0232.NASL description An updated tar package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having Moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Jim Meyering discovered a buffer overflow bug in the way GNU tar extracts malformed archives. By tricking a user into extracting a malicious tar archive, it is possible to execute arbitrary code as the user running tar. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0300 to this issue. Users of tar should upgrade to this updated package, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21005 published 2006-03-06 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21005 title RHEL 4 : tar (RHSA-2006:0232) NASL family Solaris Local Security Checks NASL id SOLARIS9_118191.NASL description SunOS 5.9: gtar patch. Date this patch was last updated by Sun : Apr/19/10 last seen 2020-06-01 modified 2020-06-02 plugin id 34997 published 2008-12-02 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34997 title Solaris 9 (sparc) : 118191-05 NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0232.NASL description An updated tar package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having Moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Jim Meyering discovered a buffer overflow bug in the way GNU tar extracts malformed archives. By tricking a user into extracting a malicious tar archive, it is possible to execute arbitrary code as the user running tar. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0300 to this issue. Users of tar should upgrade to this updated package, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21988 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21988 title CentOS 4 : tar (CESA-2006:0232) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200603-06.NASL description The remote host is affected by the vulnerability described in GLSA-200603-06 (GNU tar: Buffer overflow) Jim Meyering discovered a flaw in the handling of certain header fields that could result in a buffer overflow when extracting or listing the contents of an archive. Impact : A remote attacker could construct a malicious tar archive that could potentially execute arbitrary code with the privileges of the user running GNU tar. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 21044 published 2006-03-13 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21044 title GLSA-200603-06 : GNU tar: Buffer overflow NASL family Solaris Local Security Checks NASL id SOLARIS10_139099.NASL description SunOS 5.10: gtar patch. Date this patch was last updated by Sun : Apr/19/10 This plugin has been deprecated and either replaced with individual 139099 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 34106 published 2008-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=34106 title Solaris 10 (sparc) : 139099-04 (deprecated) NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0153_TAR.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has tar packages installed that are affected by multiple vulnerabilities: - Buffer overflow in tar 1.14 through 1.15.90 allows user- assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. (CVE-2006-0300) - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. (CVE-2006-6097) - Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. (CVE-2007-4131) - Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. (CVE-2007-4476) - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. (CVE-2010-0624) - Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. (CVE-2016-6321) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127428 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127428 title NewStart CGSL MAIN 4.05 : tar Multiple Vulnerabilities (NS-SA-2019-0153) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_139100.NASL description SunOS 5.10_x86: gtar patch. Date this patch was last updated by Sun : Apr/19/10 This plugin has been deprecated and either replaced with individual 139100 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 34107 published 2008-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=34107 title Solaris 10 (x86) : 139100-04 (deprecated) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6107EFB9AAE311DAAEA1000854D03344.NASL description GNU tar is vulnerable to a buffer overflow, caused by improper bounds checking of the PAX extended headers. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user. last seen 2020-06-01 modified 2020-06-02 plugin id 21437 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21437 title FreeBSD : gtar -- invalid headers buffer overflow (6107efb9-aae3-11da-aea1-000854d03344) NASL family Solaris Local Security Checks NASL id SOLARIS10_139099-04.NASL description SunOS 5.10: gtar patch. Date this patch was last updated by Sun : Apr/19/10 last seen 2020-06-01 modified 2020-06-02 plugin id 107509 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107509 title Solaris 10 (sparc) : 139099-04
Oval
accepted 2009-06-15T04:00:39.412-04:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard definition_extensions comment Solaris 10 (x86) is installed oval oval:org.mitre.oval:def:1926 description Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. family unix id oval:org.mitre.oval:def:5252 status accepted submitted 2009-04-30T11:23:00.000-04:00 title Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS) version 35 accepted 2009-06-15T04:00:53.458-04:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard definition_extensions comment Solaris 10 (SPARC) is installed oval oval:org.mitre.oval:def:1440 description Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. family unix id oval:org.mitre.oval:def:5978 status accepted submitted 2009-04-30T11:23:00.000-04:00 title Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS) version 35 accepted 2009-06-15T04:00:54.861-04:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard definition_extensions comment Solaris 9 (SPARC) is installed oval oval:org.mitre.oval:def:1457 description Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. family unix id oval:org.mitre.oval:def:5993 status accepted submitted 2009-04-30T11:23:00.000-04:00 title Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS) version 36 accepted 2009-06-15T04:01:00.185-04:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard definition_extensions comment Solaris 9 (x86) is installed oval oval:org.mitre.oval:def:1683 description Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. family unix id oval:org.mitre.oval:def:6094 status accepted submitted 2009-04-30T11:23:00.000-04:00 title Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS) version 36 accepted 2013-04-29T04:18:40.860-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990
description Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. family unix id oval:org.mitre.oval:def:9295 status accepted submitted 2010-07-09T03:56:16-04:00 title Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. version 26
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://docs.info.apple.com/article.html?artnum=305214
- http://docs.info.apple.com/article.html?artnum=305391
- http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://lists.gnu.org/archive/html/bug-tar/2006-02/msg00051.html
- http://secunia.com/advisories/18973
- http://secunia.com/advisories/18976
- http://secunia.com/advisories/18999
- http://secunia.com/advisories/19016
- http://secunia.com/advisories/19093
- http://secunia.com/advisories/19130
- http://secunia.com/advisories/19152
- http://secunia.com/advisories/19236
- http://secunia.com/advisories/20042
- http://secunia.com/advisories/24479
- http://secunia.com/advisories/24966
- http://securityreason.com/securityalert/480
- http://securityreason.com/securityalert/543
- http://securitytracker.com/id?1015705
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-241646-1
- http://www.debian.org/security/2006/dsa-987
- http://www.gentoo.org/security/en/glsa/glsa-200603-06.xml
- http://www.novell.com/linux/security/advisories/2006_05_sr.html
- http://www.openpkg.org/security/OpenPKG-SA-2006.006-tar.html
- http://www.osvdb.org/23371
- http://www.redhat.com/support/errata/RHSA-2006-0232.html
- http://www.securityfocus.com/archive/1/430299/100/0/threaded
- http://www.securityfocus.com/bid/16764
- http://www.trustix.org/errata/2006/0010
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.us-cert.gov/cas/techalerts/TA07-109A.html
- http://www.vupen.com/english/advisories/2006/0684
- http://www.vupen.com/english/advisories/2007/0930
- http://www.vupen.com/english/advisories/2007/1470
- http://www.vupen.com/english/advisories/2008/2518
- http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:046
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24855
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5252
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5978
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5993
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6094
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9295
- https://usn.ubuntu.com/257-1/