Bug 19696

Summary: tar new security issue CVE-2016-6321
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, panasum, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/705216/
Whiteboard: MGA5-32-OK advisory
Source RPM: tar-1.29-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-11-01 19:46:12 CET 
Debian-LTS has issued an advisory on October 31:
http://lwn.net/Alerts/705200/

The Debian bug for this is here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339

Mageia 5 is also affected.
David Walser 2016-11-01 19:46:24 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-11-01 23:58:19 CET 
Debian has issued an advisory for this today (November 1):
https://www.debian.org/security/2016/dsa-3702
Comment 2 Nicolas Lécureuil 2016-11-16 15:33:25 CET 
Fixed package on mga5 updates_testing
Fixed in cauldron too.

CC: (none) => mageia
Version: Cauldron => 5
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2016-11-16 15:41:38 CET 
Advisory:
========================

Updated tar package fixes security vulnerability:

Harry Sintonen discovered that GNU tar does not properly handle member names
containing '..', thus allowing an attacker to bypass the path names specified on
the command line and replace files and directories in the target directory
(CVE-2016-6321).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
https://www.debian.org/security/2016/dsa-3702
========================

Updated packages in core/updates_testing:
========================
tar-1.28-3.1.mga5

from tar-1.28-3.1.mga5.src.rpm

Whiteboard: MGA5TOO => (none)

Comment 4 Herman Viaene 2016-11-17 15:57:30 CET 
MGA5-32 on AcerD620 Xfce
No installation issues
Did tests:
Viewed existing tar file contents: OK
made test files text1.txt and text..txt with some contents in ~/Downloads
at CLI: tar -cf bugtest.tar text1.txt text2..txt
copied bugtest.tar to ~/Documenten
at CLI 
$ cd ../Documenten/
$ tar -xf bugtest.tar 
Checked files came thru OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 Pana Sum 2016-11-17 18:47:21 CET 
Tested tar-1.28-3.1.mga5 on Mageia 5 64 bits in a MSI Cubi PC.

Installation OK.
Compressing and extracting some tar.gz files OK
Compressing and extracting some tar.bz2 files OK

CC: (none) => panasum

Dave Hodgins 2016-11-17 20:17:43 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-11-18 00:41:42 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0386.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED