Advisories » MGASA-2014-0090

Updated libtar package fixes security vulnerability

Publication date: 21 Feb 2014
Modification date: 21 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-4420

Description

A directory traversal attack was reported against libtar, a C library for
manipulating tar archives. The application does not validate the filenames
inside the tar archive, allowing to extract files in arbitrary path. An
attacker can craft a tar file to override files beyond the tar_extract_glob
and tar_extract_all prefix parameter (CVE-2013-4420).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=12824
• http://www.debian.org/security/2014/dsa-2863
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420

SRPMS

4/core

• libtar-1.2.20-2.1.mga4

3/core

• libtar-1.2.18-2.2.mga3