Sicherheit: Überschreiben von Dateien in tar

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2006-42
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date: 29 Nov 2006
Last revised: 29 Nov 2006

Package: tar

Summary: Symlink attack in tar

More information:
The program saves many files together into a single tape or disk
archive, and can restore individual files from the archive. It
includes multivolume support, the ability to archive sparse files,
automatic archive compression/decompression, remote archives and
special features that allow 'tar' to be used for incremental and
full backups.

The tar allows attackers to overwrite arbitrary files
via a symbolic link attack.

Impact:
This vulnerability may allow attackers to overwrite arbitrary files
via a symbolic link attack.

Affected Products:
- Turbolinux FUJI

<Turbolinux FUJI>

Source Packages
Size: MD5

tar-1.16-2.src.rpm
2594502 4e81e21f3fe299e552195854fc608e5f

Binary Packages
Size: MD5

tar-1.16-2.i686.rpm
826969 3cdfa5de64f94d6e32c4d9c73f676c97

References:

CVE
[CVE-2006-6097]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097

--------------------------------------------------------------------------
Revision History
29 Nov 2006 Initial release
--------------------------------------------------------------------------

Copyright(C) 2006 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFFbVfnK0LzjOqIJMwRAkb4AKCF1G+VYs2YwCm/UeVL+DJdYxt2UACgscwx
D7nnLzsr031UFLQQ3zM1Ai0=
=J0ZJ
-----END PGP SIGNATURE-----