Home > Security > Advisories

Advisories

Mandriva Advisories

Package name tar
Date September 4th, 2007
Advisory ID MDKSA-2007:173
Affected versions 2007.0, CS4.0, 2007.1
Synopsis Updated tar packages fix vulnerabilities

Problem Description

Dmitry V. Levin discovered a path traversal flaw in how GNU tar
extracted archives. A malicious user could create a tar archive that
could write to arbitrary fiels that the user running tar has write
access to.

Updated packages have been patched to prevent these issues.

Updated Packages

Mandriva Linux 2007

 8f82a3a1e903928948584afac733c0be  2007.0/i586/tar-1.15.91-1.2mdv2007.0.i586.rpm 
 65e7c9a6300a397c71cbfe1c1854e491  2007.0/SRPMS/tar-1.15.91-1.2mdv2007.0.src.rpm

Mandriva Linux 2007/X86_64

 e4d6a38673a213ee0011624ecd6b5667  2007.0/x86_64/tar-1.15.91-1.2mdv2007.0.x86_64.rpm 
 65e7c9a6300a397c71cbfe1c1854e491  2007.0/SRPMS/tar-1.15.91-1.2mdv2007.0.src.rpm

Corporate Server 4.0

 ecc995d361f75e3618cb23e000f012cf  corporate/4.0/i586/tar-1.15.1-5.3.20060mlcs4.i586.rpm 
 1831cb7c8437d7f68c6e53d3980a0049  corporate/4.0/SRPMS/tar-1.15.1-5.3.20060mlcs4.src.rpm

Corporate Server 4.0/X86_64

 61513a4da673ea8d5ffb4fe26f346488  corporate/4.0/x86_64/tar-1.15.1-5.3.20060mlcs4.x86_64.rpm 
 1831cb7c8437d7f68c6e53d3980a0049  corporate/4.0/SRPMS/tar-1.15.1-5.3.20060mlcs4.src.rpm

Mandriva Linux 2007.1

 003db92130c44646c89d127db26a4fd8  2007.1/i586/tar-1.16-3.1mdv2007.1.i586.rpm 
 d929dd2ef2716987b8890542fb762693  2007.1/SRPMS/tar-1.16-3.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64

 92323c0cb0bd466e2a35e6b02f01778b  2007.1/x86_64/tar-1.16-3.1mdv2007.1.x86_64.rpm 
 d929dd2ef2716987b8890542fb762693  2007.1/SRPMS/tar-1.16-3.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.