Vulnerabilities > CVE-2006-6097 - Remote Directory Traversal vulnerability in GNU TAR 1.15.1/1.16
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
PARTIAL Summary
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
Exploit-Db
| description | GNU Tar 1.1x GNUTYPE_NAMES Remote Directory Traversal Vulnerability. CVE-2006-6097. Remote exploit for linux platform |
| id | EDB-ID:29160 |
| last seen | 2016-02-03 |
| modified | 2006-11-21 |
| published | 2006-11-21 |
| reporter | Teemu Salmela |
| source | https://www.exploit-db.com/download/29160/ |
| title | GNU Tar 1.1x GNUTYPE_NAMES Remote Directory Traversal Vulnerability |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3DD7EB5880AE11DBB4EC000854D03344.NASL description Teemu Salmela reports : There is a tar record type, called GNUTYPE_NAMES (an obsolete GNU extension), that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files. last seen 2020-06-01 modified 2020-06-02 plugin id 23759 published 2006-12-04 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23759 title FreeBSD : gtar -- GNUTYPE_NAMES directory traversal vulnerability (3dd7eb58-80ae-11db-b4ec-000854d03344) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(23759); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2006-6097"); script_bugtraq_id(21235); script_name(english:"FreeBSD : gtar -- GNUTYPE_NAMES directory traversal vulnerability (3dd7eb58-80ae-11db-b4ec-000854d03344)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Teemu Salmela reports : There is a tar record type, called GNUTYPE_NAMES (an obsolete GNU extension), that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files." ); # http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1dbe1a99" ); # https://vuxml.freebsd.org/freebsd/3dd7eb58-80ae-11db-b4ec-000854d03344.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b88fb2df" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gtar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/21"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"gtar<1.16_2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200612-10.NASL description The remote host is affected by the vulnerability described in GLSA-200612-10 (Tar: Directory traversal vulnerability) Tar does not properly extract archive elements using the GNUTYPE_NAMES record name, allowing files to be created at arbitrary locations using symlinks. Once a symlink is extracted, files after the symlink in the archive will be extracted to the destination of the symlink. Impact : An attacker could entice a user to extract a specially crafted tar archive, possibly allowing for the overwriting of arbitrary files on the system extracting the archive. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23862 published 2006-12-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23862 title GLSA-200612-10 : Tar: Directory traversal vulnerability code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200612-10. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(23862); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-6097"); script_xref(name:"GLSA", value:"200612-10"); script_name(english:"GLSA-200612-10 : Tar: Directory traversal vulnerability"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200612-10 (Tar: Directory traversal vulnerability) Tar does not properly extract archive elements using the GNUTYPE_NAMES record name, allowing files to be created at arbitrary locations using symlinks. Once a symlink is extracted, files after the symlink in the archive will be extracted to the destination of the symlink. Impact : An attacker could entice a user to extract a specially crafted tar archive, possibly allowing for the overwriting of arbitrary files on the system extracting the archive. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200612-10" ); script_set_attribute( attribute:"solution", value: "All Tar users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-arch/tar-1.16-r2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-arch/tar", unaffected:make_list("ge 1.16-r2"), vulnerable:make_list("lt 1.16-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Tar"); }NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0089_TAR.NASL description The remote NewStart CGSL host, running version MAIN 4.06, has tar packages installed that are affected by multiple vulnerabilities: - Buffer overflow in tar 1.14 through 1.15.90 allows user- assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. (CVE-2006-0300) - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. (CVE-2006-6097) - Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. (CVE-2007-4131) - Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. (CVE-2007-4476) - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. (CVE-2010-0624) - Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. (CVE-2016-6321) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127307 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127307 title NewStart CGSL MAIN 4.06 : tar Multiple Vulnerabilities (NS-SA-2019-0089) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0089. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127307); script_version("1.3"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id( "CVE-2006-0300", "CVE-2006-6097", "CVE-2007-4131", "CVE-2007-4476", "CVE-2010-0624", "CVE-2016-6321" ); script_name(english:"NewStart CGSL MAIN 4.06 : tar Multiple Vulnerabilities (NS-SA-2019-0089)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version MAIN 4.06, has tar packages installed that are affected by multiple vulnerabilities: - Buffer overflow in tar 1.14 through 1.15.90 allows user- assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. (CVE-2006-0300) - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. (CVE-2006-6097) - Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. (CVE-2007-4131) - Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. (CVE-2007-4476) - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. (CVE-2010-0624) - Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. (CVE-2016-6321) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0089"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL tar packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-4476"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL MAIN 4.06") audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL MAIN 4.06": [ "tar-1.23-15.el6_8.cgslv4_6.0.1.gff7e116", "tar-debuginfo-1.23-15.el6_8.cgslv4_6.0.1.gff7e116" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar"); }NASL family SuSE Local Security Checks NASL id SUSE_TAR-2344.NASL description This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) The problematic feature has been made optional and is disabled by default. It can be enabled by a commandline switch. last seen 2020-06-01 modified 2020-06-02 plugin id 29585 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29585 title SuSE 10 Security Update : tar (ZYPP Patch Number 2344) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29585); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2006-6097"); script_name(english:"SuSE 10 Security Update : tar (ZYPP Patch Number 2344)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) The problematic feature has been made optional and is disabled by default. It can be enabled by a commandline switch." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-6097.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2344."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:0, reference:"tar-1.15.1-23.5")) flag++; if (rpm_check(release:"SLES10", sp:0, reference:"tar-1.15.1-23.5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-335-01.NASL description New tar packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24659 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24659 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : tar (SSA:2006-335-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-335-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24659); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-6097"); script_xref(name:"SSA", value:"2006-335-01"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : tar (SSA:2006-335-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New tar packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.469379 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?82740921" ); script_set_attribute(attribute:"solution", value:"Update the affected tar package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"tar", pkgver:"1.16", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++; if (slackware_check(osver:"9.0", pkgname:"tar", pkgver:"1.16", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++; if (slackware_check(osver:"9.1", pkgname:"tar", pkgver:"1.16", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++; if (slackware_check(osver:"10.0", pkgname:"tar", pkgver:"1.16", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"tar", pkgver:"1.16", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"tar", pkgver:"1.16", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"tar", pkgver:"1.16", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-219.NASL description GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. The updated packages have been patched to address this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24603 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24603 title Mandrake Linux Security Advisory : tar (MDKSA-2006:219) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:219. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24603); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-6097"); script_xref(name:"MDKSA", value:"2006:219"); script_name(english:"Mandrake Linux Security Advisory : tar (MDKSA-2006:219)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. The updated packages have been patched to address this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected tar package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"tar-1.15.1-5.2.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"tar-1.15.91-1.1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0749.NASL description Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 23941 published 2006-12-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23941 title CentOS 3 / 4 : tar (CESA-2006:0749) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0749 and # CentOS Errata and Security Advisory 2006:0749 respectively. # include("compat.inc"); if (description) { script_id(23941); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2006-6097"); script_xref(name:"RHSA", value:"2006:0749"); script_name(english:"CentOS 3 / 4 : tar (CESA-2006:0749)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2006-December/013433.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d1c3f02a" ); # https://lists.centos.org/pipermail/centos-announce/2006-December/013434.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e6a5a8e2" ); # https://lists.centos.org/pipermail/centos-announce/2006-December/013437.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5e0cce2d" ); # https://lists.centos.org/pipermail/centos-announce/2006-December/013439.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?30a3d537" ); # https://lists.centos.org/pipermail/centos-announce/2006-December/013443.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?977d292e" ); # https://lists.centos.org/pipermail/centos-announce/2006-December/013444.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5839e4ad" ); script_set_attribute(attribute:"solution", value:"Update the affected tar package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/24"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"tar-1.13.25-15.RHEL3")) flag++; if (rpm_check(release:"CentOS-4", reference:"tar-1.14-12.RHEL4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-385-1.NASL description Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27968 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27968 title Ubuntu 5.10 / 6.06 LTS / 6.10 : tar vulnerability (USN-385-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-385-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(27968); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2006-6097"); script_xref(name:"USN", value:"385-1"); script_name(english:"Ubuntu 5.10 / 6.06 LTS / 6.10 : tar vulnerability (USN-385-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/385-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected tar package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.10|6\.06|6\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10 / 6.06 / 6.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.10", pkgname:"tar", pkgver:"1.15.1-2ubuntu0.2")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"tar", pkgver:"1.15.1-2ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"tar", pkgver:"1.15.91-2ubuntu0.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0749.NASL description Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 23959 published 2006-12-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23959 title RHEL 2.1 / 3 / 4 : tar (RHSA-2006:0749) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0749. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(23959); script_version ("1.22"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2006-6097"); script_xref(name:"RHSA", value:"2006:0749"); script_name(english:"RHEL 2.1 / 3 / 4 : tar (RHSA-2006:0749)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-6097" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2006:0749" ); script_set_attribute(attribute:"solution", value:"Update the affected tar package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/24"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x / 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2006:0749"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"tar-1.13.25-6.AS21.1")) flag++; if (rpm_check(release:"RHEL3", reference:"tar-1.13.25-15.RHEL3")) flag++; if (rpm_check(release:"RHEL4", reference:"tar-1.14-12.RHEL4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar"); } }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0749.NASL description From Red Hat Security Advisory 2006:0749 : Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67428 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67428 title Oracle Linux 3 / 4 : tar (ELSA-2006-0749) NASL family SuSE Local Security Checks NASL id SUSE_TAR-2343.NASL description This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) This feature was made optional and needs to be enabled with a commandline option. last seen 2020-06-01 modified 2020-06-02 plugin id 27462 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27462 title openSUSE 10 Security Update : tar (tar-2343) NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0153_TAR.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has tar packages installed that are affected by multiple vulnerabilities: - Buffer overflow in tar 1.14 through 1.15.90 allows user- assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. (CVE-2006-0300) - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. (CVE-2006-6097) - Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. (CVE-2007-4131) - Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. (CVE-2007-4476) - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. (CVE-2010-0624) - Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. (CVE-2016-6321) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127428 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127428 title NewStart CGSL MAIN 4.05 : tar Multiple Vulnerabilities (NS-SA-2019-0153) NASL family SuSE Local Security Checks NASL id SUSE_TAR-2351.NASL description This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) This feature was made optional and needs to be enabled with a commandline option. last seen 2020-06-01 modified 2020-06-02 plugin id 27463 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27463 title openSUSE 10 Security Update : tar (tar-2351) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1223.NASL description Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link. last seen 2020-06-01 modified 2020-06-02 plugin id 23765 published 2006-12-04 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23765 title Debian DSA-1223-1 : tar - input validation error
Oval
| accepted | 2013-04-29T04:10:18.270-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10963 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.asc
- http://docs.info.apple.com/article.html?artnum=305214
- http://kb.vmware.com/KanisaPlatform/Publishing/817/2240267_f.SAL_Public.html
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html
- http://rhn.redhat.com/errata/RHSA-2006-0749.html
- http://secunia.com/advisories/23115
- http://secunia.com/advisories/23117
- http://secunia.com/advisories/23142
- http://secunia.com/advisories/23146
- http://secunia.com/advisories/23163
- http://secunia.com/advisories/23173
- http://secunia.com/advisories/23198
- http://secunia.com/advisories/23209
- http://secunia.com/advisories/23314
- http://secunia.com/advisories/23443
- http://secunia.com/advisories/23514
- http://secunia.com/advisories/23911
- http://secunia.com/advisories/24479
- http://secunia.com/advisories/24636
- http://security.freebsd.org/advisories/FreeBSD-SA-06:26.gtar.asc
- http://security.gentoo.org/glsa/glsa-200612-10.xml
- http://securityreason.com/securityalert/1918
- http://securitytracker.com/id?1017423
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.469379
- http://support.avaya.com/elmodocs2/security/ASA-2007-015.htm
- http://www.debian.org/security/2006/dsa-1223
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:219
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.038.html
- http://www.securityfocus.com/archive/1/453286/100/0/threaded
- http://www.securityfocus.com/archive/1/464268/100/0/threaded
- http://www.securityfocus.com/bid/21235
- http://www.trustix.org/errata/2006/0068/
- http://www.ubuntu.com/usn/usn-385-1
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html
- http://www.vupen.com/english/advisories/2006/4717
- http://www.vupen.com/english/advisories/2006/5102
- http://www.vupen.com/english/advisories/2007/0930
- http://www.vupen.com/english/advisories/2007/1171
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216937
- https://issues.rpath.com/browse/RPL-821
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10963