• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: GNU Tar Hostile Destination Path Vulnerability

Severity: HIGH

Description:

GNU tar contains a vulnerability in the handling of pathnames for archived files.

By specifying a path for an archived item that points outside the expected directory scope, an attacker can cause the file to be extracted to arbitrary locations on the filesystem, including paths containing system binaries and other sensitive or confidential information.

To do this, the attacker can either:

- Specify a relative path using '../' sequences
- Specify an absolute path, guessing the structure of the target filesystem and supplying a valid, complete destination path for the item's extraction.

Either approach can permit a file stored in a hostile archive to be placed anywhere on the target system. By default, tar will overwrite existing files without warning the user.

Since tar can override umask settings, the output file can be rendered executable.

The attacker can exploit this issue to create or overwrite binaries in any desired location. The attacker may be able to elevate privileges, potentially to 'root'.

Versions prior to GNU Tar 1.13.19 are affected.

Affected Products:

• Allot NetEnforcer 4.2.0
• Allot NetEnforcer 4.2.1
• Conectiva Linux 6.0.0
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• Foresight Linux Foresight Linux 1.1
• GNU tar 1.13.0
• GNU tar 1.13.11
• GNU tar 1.13.14
• GNU tar 1.13.16
• GNU tar 1.13.17
• GNU tar 1.13.18
• GNU tar 1.13.19
• GNU tar 1.13.5
• HP Secure OS software for Linux 1.0.0
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• RedHat Linux 6.2.0
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• S.u.S.E. Linux 10.0 ppc
• S.u.S.E. Linux 10.0 x86
• S.u.S.E. Linux 10.0 x86-64
• S.u.S.E. Linux 10.1 ppc
• S.u.S.E. Linux 10.1 x86
• S.u.S.E. Linux 10.1 x86-64
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Desktop 10
• S.u.S.E. Linux Enterprise SDK 10
• S.u.S.E. Linux Enterprise Server 10
• S.u.S.E. Linux Enterprise Server 10.SP1
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Enterprise Server 9-SP3
• S.u.S.E. Linux Enterprise Server SDK 9
• S.u.S.E. Linux Enterprise Server for S/390
• S.u.S.E. Linux Enterprise Server for S/390 9.0.0
• S.u.S.E. Linux Office Server
• S.u.S.E. Linux Openexchange Server
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 10.1
• S.u.S.E. Linux Personal 10.2
• S.u.S.E. Linux Personal 10.2 x86_64
• S.u.S.E. Linux Professional 10.0.0
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 10.1
• S.u.S.E. Linux Professional 10.2
• S.u.S.E. Linux Professional 10.2 x86_64
• S.u.S.E. Novell Linux Desktop 1.0.0
• S.u.S.E. Novell Linux Desktop 9
• S.u.S.E. Novell Linux Desktop 9.0.0
• S.u.S.E. Novell Linux POS 9
• S.u.S.E. Office Server
• S.u.S.E. Open-Enterprise-Server
• S.u.S.E. Open-Enterprise-Server 1
• S.u.S.E. Open-Enterprise-Server 9.0.0
• S.u.S.E. SLE SDK 10
• S.u.S.E. SLE SDK 10.SP1
• S.u.S.E. SLE SDK 9
• S.u.S.E. SUSE LINUX Retail Solution 8.0.0
• S.u.S.E. SUSE Linux Enterprise Desktop 10
• S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
• S.u.S.E. SUSE Linux Enterprise Server 10
• S.u.S.E. SUSE Linux Enterprise Server 10 SP1
• S.u.S.E. SUSE Linux Enterprise Server 9 SP3
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux School Server for i386
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• S.u.S.E. UnitedLinux 1.0.0
• S.u.S.E. openSUSE 10.2
• Sun Cobalt Qube 3
• Sun Cobalt RaQ 3
• Sun Cobalt RaQ 4
• Sun Cobalt RaQ 550
• Sun Cobalt RaQ XTR
• Sun Linux 5.0.0
• Sun Linux 5.0.3
• Sun Linux 5.0.5
• Sun Linux 5.0.6
• rPath rPath Linux 1

References:

• 3APA3A <3APA3A@security.nnov.ru>: SECURITY.NNOV: directory traversal and path globing in multiple archivers
• Sun Microsystems: 47800

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.