Bug 19696 - tar new security issue CVE-2016-6321
Summary: tar new security issue CVE-2016-6321
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705216/
Whiteboard: MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Reported: 2016-11-01 19:46 CET by David Walser
Modified: 2016-11-18 00:41 CET (History)
5 users (show)

See Also:
Source RPM: tar-1.29-2.mga6.src.rpm
Status comment:


Description David Walser 2016-11-01 19:46:12 CET
Debian-LTS has issued an advisory on October 31:

The Debian bug for this is here:

Mageia 5 is also affected.
David Walser 2016-11-01 19:46:24 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-11-01 23:58:19 CET
Debian has issued an advisory for this today (November 1):
Comment 2 Nicolas Lécureuil 2016-11-16 15:33:25 CET
Fixed package on mga5 updates_testing
Fixed in cauldron too.

CC: (none) => mageia
Version: Cauldron => 5
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2016-11-16 15:41:38 CET

Updated tar package fixes security vulnerability:

Harry Sintonen discovered that GNU tar does not properly handle member names
containing '..', thus allowing an attacker to bypass the path names specified on
the command line and replace files and directories in the target directory


Updated packages in core/updates_testing:

from tar-1.28-3.1.mga5.src.rpm

Whiteboard: MGA5TOO => (none)

Comment 4 Herman Viaene 2016-11-17 15:57:30 CET
MGA5-32 on AcerD620 Xfce
No installation issues
Did tests:
Viewed existing tar file contents: OK
made test files text1.txt and text..txt with some contents in ~/Downloads
at CLI: tar -cf bugtest.tar text1.txt text2..txt
copied bugtest.tar to ~/Documenten
at CLI 
$ cd ../Documenten/
$ tar -xf bugtest.tar 
Checked files came thru OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 Pana Sum 2016-11-17 18:47:21 CET
Tested tar-1.28-3.1.mga5 on Mageia 5 64 bits in a MSI Cubi PC.

Installation OK.
Compressing and extracting some tar.gz files OK
Compressing and extracting some tar.bz2 files OK

CC: (none) => panasum

Dave Hodgins 2016-11-17 20:17:43 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-11-18 00:41:42 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.