|
Note: This is an archival copy of Security Sun Alert 273551 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021680.1. |
Category Security Release Phase Resolved 6616278 Product Solaris 9 Operating System Solaris 10 Operating System OpenSolaris Date of Workaround Release 02-Dec-2009 Date of Resolved Release 23-Mar-2010 Two security vulnerabilities in GNU tar (see gtar(1)): 1. Impact Two security vulnerabilities have been found in the GNU tar gtar(1) archiving program bundled with Solaris 9, Solaris 10 and OpenSolaris. The first issue is a directory traversal vulnerability that may allow a local or remote unprivileged user who provides a specially crafted archive to overwrite arbitrary files which the user executing gtar(1) has permission to modify. The second issue is a buffer overflow which may allow a local or remote unprivileged user who provides a specially crafted tar archive to execute arbitrary commands with the privileges of the user executing gtar(1) or to cause gtar(1) to crash. The ability to cause a program crash is a type of Denial of Service (DoS). Additional information regarding these issues is available at:
These issues can occur in the following releases: SPARC Platform
$ uname -vNote 2: Solaris 8 does not include support for GNU tar utility and therefore is not impacted by these issues. 3. Symptoms There are no predictable symptoms that would indicate the described issues have been exploited on a system. 4. Workaround Until the patches for these issues can be applied, users should avoid using gtar(1) with archives from untrusted sources. 5. Resolution These issues are addressed in the following releases: SPARC Platform
Modification History 23-Mar-2010: Updated Contributing Factors and Resolution sections. Resolved. 18-Oct-2010: Updated for patch clarifications References139099-03139100-03 118191-04 118192-04 Attachments This solution has no attachment | |||||||||||||||
|
|