CVE-2007-4131

Upstream information

CVE-2007-4131 at MITRE

Description

Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.

SUSE information

Overall state of this security issue: Ignore

This issue is currently rated as having moderate severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

SUSE Bugzilla entry: 299738 [RESOLVED / FIXED]

SUSE Security Advisories:

SUSE-SR:2007:018, published Fri, 31 Aug 2007 15:00:00 +0000

List of released packages

Product(s)	Fixed package version(s)	References
SUSE LINUX 10.0	`star >= 1.5a60-5.3`
SUSE LINUX 10.1	`star >= 1.5a70-12.6`
SUSE LINUX Retail Solution 8 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 for AMD64 SuSE Linux Enterprise Server 8 for IBM iSeries and IBM pSeries SuSE Linux Enterprise Server 8 for IBM zSeries SuSE Linux Enterprise Server 8 for IPF SuSE Linux Openexchange Server 4 SuSE Linux School Server for i386 SuSE Linux Standard Server 8 UnitedLinux 1.0	`tar >= 1.13.25-334`	sled10.x86 core9.s390 sles9-oes.x86 slrs8.x86 sles10.s390x ul1.s390 ZYPP Patch Nr: 4125
Novell Linux Desktop 9 for x86 Novell Linux Desktop 9 for x86_64 Open Enterprise Server	`tar >= 1.13.25-325.10`	sled10.x86 core9.s390 sles9-oes.x86 slrs8.x86 sles10.s390x ul1.s390 ZYPP Patch Nr: 4125
SUSE LINUX 10.0	`tar >= 1.15.1-9.6`
SUSE LINUX 10.1	`tar >= 1.15.1-23.8`