6.8 - GLSA-201111-11

Executive Summary

Summary
Title	GNU Tar: User-assisted execution of arbitrary code

Informations
Name	GLSA-201111-11	First vendor Publication	2011-11-20
Vendor	Gentoo	Last vendor Modification	2011-11-20
Severity (Vendor)	Normal	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A buffer overflow flaw in GNU Tar could result in execution of arbitrary code or a Denial of Service.

Background

GNU Tar is a utility to create archives as well as add and extract files from archives.

Description

GNU Tar is vulnerable to a boundary error in the rmt_read__ function in lib/rtapelib.c, which could cause a heap-based buffer overflow.

Impact

A remote attacker could entice the user to load a specially crafted archive, possibly resulting in the execution of arbitrary code or a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All GNU Tar users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/tar-1.23"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since July 18, 2010. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2010-0624 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0624

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201111-11.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201111-11.xml

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10277

Oval ID:	oval:org.mitre.oval:def:10277
Title:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Description:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-0624	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section tar is earlier than 0:1.13.25-16.RHEL3 AND cpio is earlier than 0:2.5-6.RHEL3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section tar is earlier than 0:1.14-13.el4_8.1 AND cpio is earlier than 0:2.5-16.el4_8.1 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section tar is earlier than 2:1.15.1-23.0.1.el5_4.2 AND cpio is earlier than 0:2.6-23.el5_4.1

Definition Id: oval:org.mitre.oval:def:21485

Oval ID:	oval:org.mitre.oval:def:21485
Title:	RHSA-2010:0144: cpio security update (Moderate)
Description:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Family:	unix	Class:	patch
Reference(s):	RHSA-2010:0144-01 CESA-2010:0144 CVE-2007-4476 CVE-2010-0624	Version:	29
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	cpio
Definition Synopsis:
Redhat 5 or Centos 5 release The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x AND cpio is earlier than 0:2.6-23.el5_4.1

Definition Id: oval:org.mitre.oval:def:22152

Oval ID:	oval:org.mitre.oval:def:22152
Title:	RHSA-2010:0141: tar security update (Moderate)
Description:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Family:	unix	Class:	patch
Reference(s):	RHSA-2010:0141-01 CESA-2010:0141 CVE-2007-4476 CVE-2010-0624	Version:	29
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	tar
Definition Synopsis:
Redhat 5 or Centos 5 release The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x AND tar is earlier than 2:1.15.1-23.0.1.el5_4.2

Definition Id: oval:org.mitre.oval:def:22400

Oval ID:	oval:org.mitre.oval:def:22400
Title:	ELSA-2010:0141: tar security update (Moderate)
Description:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Family:	unix	Class:	patch
Reference(s):	ELSA-2010:0141-01 CVE-2007-4476 CVE-2010-0624	Version:	13
Platform(s):	Oracle Linux 5	Product(s):	tar
Definition Synopsis:
Oracle Linux 5.x AND tar is earlier than 2:1.15.1-23.0.1.el5_4.2

Definition Id: oval:org.mitre.oval:def:22814

Oval ID:	oval:org.mitre.oval:def:22814
Title:	ELSA-2010:0144: cpio security update (Moderate)
Description:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Family:	unix	Class:	patch
Reference(s):	ELSA-2010:0144-01 CVE-2007-4476 CVE-2010-0624	Version:	13
Platform(s):	Oracle Linux 5	Product(s):	cpio
Definition Synopsis:
Oracle Linux 5.x AND cpio is earlier than 0:2.6-23.el5_4.1

Definition Id: oval:org.mitre.oval:def:27994

Oval ID:	oval:org.mitre.oval:def:27994
Title:	DEPRECATED: ELSA-2010-0144 -- cpio security update (moderate)
Description:	[2.6-23.1] - CVE-2010-0624 fix heap-based buffer overflow by expanding a specially-crafted archive - CVE-2007-4476 fix stack crashing in safer_name_suffix
Family:	unix	Class:	patch
Reference(s):	ELSA-2010-0144 CVE-2007-4476 CVE-2010-0624	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	cpio
Definition Synopsis:
Oracle Linux 5.x AND cpio is earlier than 0:2.6-23.el5_4.1

Definition Id: oval:org.mitre.oval:def:6907

Oval ID:	oval:org.mitre.oval:def:6907
Title:	VMware ESX,Service Console update for cpio and tar.
Description:	Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-0624	Version:	5
Platform(s):	VMWare ESX Server 3.5 VMWare ESX Server 4.0	Product(s):
Definition Synopsis:
IF VMware ESX Server 3.5.0 is installed AND Not to be vulnerable, all the patches should be installed. Patch ESX350-201008405-SG is not installed. AND Patch ESX350-201008407-SG is not installed. OR VMware ESX Server 4.0 is installed AND Not to be vulnerable, all the patches should be installed. Patch ESX400-201009402-SG is not installed. AND Patch ESX400-201009406-SG is not installed.

CPE : Common Platform Enumeration

Type	Description	Count
Application	Gnu Cpio cpe:2.3:a:gnu:cpio:2.9:::::::* cpe:2.3:a:gnu:cpio:2.8:::::::* cpe:2.3:a:gnu:cpio:2.7:::::::* cpe:2.3:a:gnu:cpio:2.6-8::fedora_core_4_64bit::::: cpe:2.3:a:gnu:cpio:2.6:::::::* cpe:2.3:a:gnu:cpio:2.5.90:::::::* cpe:2.3:a:gnu:cpio:2.5:::::::* cpe:2.3:a:gnu:cpio:2.4-2:::::::* cpe:2.3:a:gnu:cpio:1.3:::::::* cpe:2.3:a:gnu:cpio:1.2:::::::* cpe:2.3:a:gnu:cpio:1.1:::::::* cpe:2.3:a:gnu:cpio:1.0:::::::* cpe:2.3:a:gnu:cpio:::::::: cpe:2.3:a:gnu:cpio:-:::::::*	14
Application	Gnu Tar cpe:2.3:a:gnu:tar:1.22:::::::* cpe:2.3:a:gnu:tar:1.21:::::::* cpe:2.3:a:gnu:tar:1.20:::::::* cpe:2.3:a:gnu:tar:1.19:::::::* cpe:2.3:a:gnu:tar:1.18:::::::* cpe:2.3:a:gnu:tar:1.17:::::::* cpe:2.3:a:gnu:tar:1.16.1:::::::* cpe:2.3:a:gnu:tar:1.16:::::::* cpe:2.3:a:gnu:tar:1.15.91:::::::* cpe:2.3:a:gnu:tar:1.15.90:::::::* cpe:2.3:a:gnu:tar:1.15.1:::::::* cpe:2.3:a:gnu:tar:1.15:::::::* cpe:2.3:a:gnu:tar:1.14.90:::::::* cpe:2.3:a:gnu:tar:1.14.1:::::::* cpe:2.3:a:gnu:tar:1.14:::::::* cpe:2.3:a:gnu:tar:1.13.5:::::::* cpe:2.3:a:gnu:tar:1.13.25:::::::* cpe:2.3:a:gnu:tar:1.13.19:::::::* cpe:2.3:a:gnu:tar:1.13.18:::::::* cpe:2.3:a:gnu:tar:1.13.17:::::::* cpe:2.3:a:gnu:tar:1.13.16:::::::* cpe:2.3:a:gnu:tar:1.13.14:::::::* cpe:2.3:a:gnu:tar:1.13.11:::::::* cpe:2.3:a:gnu:tar:1.13:::::::* cpe:2.3:a:gnu:tar::::::::	25

OpenVAS Exploits

Date	Description
2012-02-12	Name : Gentoo Security Advisory GLSA 201111-11 (tar) File : nvt/glsa_201111_11.nasl
2011-08-09	Name : CentOS Update for tar CESA-2010:0141 centos5 i386 File : nvt/gb_CESA-2010_0141_tar_centos5_i386.nasl
2011-08-09	Name : CentOS Update for cpio CESA-2010:0144 centos5 i386 File : nvt/gb_CESA-2010_0144_cpio_centos5_i386.nasl
2010-03-31	Name : Mandriva Update for cpio MDVSA-2010:065 (cpio) File : nvt/gb_mandriva_MDVSA_2010_065.nasl
2010-03-31	Name : Fedora Update for tar FEDORA-2010-4306 File : nvt/gb_fedora_2010_4306_tar_fc11.nasl
2010-03-31	Name : Fedora Update for cpio FEDORA-2010-4302 File : nvt/gb_fedora_2010_4302_cpio_fc11.nasl
2010-03-30	Name : FreeBSD Ports: gtar File : nvt/freebsd_gtar3.nasl
2010-03-22	Name : RedHat Update for cpio RHSA-2010:0143-01 File : nvt/gb_RHSA-2010_0143-01_cpio.nasl
2010-03-22	Name : Fedora Update for cpio FEDORA-2010-4321 File : nvt/gb_fedora_2010_4321_cpio_fc12.nasl
2010-03-22	Name : Fedora Update for tar FEDORA-2010-4309 File : nvt/gb_fedora_2010_4309_tar_fc12.nasl
2010-03-22	Name : RedHat Update for cpio RHSA-2010:0145-01 File : nvt/gb_RHSA-2010_0145-01_cpio.nasl
2010-03-22	Name : RedHat Update for cpio RHSA-2010:0144-01 File : nvt/gb_RHSA-2010_0144-01_cpio.nasl
2010-03-22	Name : RedHat Update for tar RHSA-2010:0142-01 File : nvt/gb_RHSA-2010_0142-01_tar.nasl
2010-03-22	Name : RedHat Update for tar RHSA-2010:0141-01 File : nvt/gb_RHSA-2010_0141-01_tar.nasl
2010-03-22	Name : CentOS Update for cpio CESA-2010:0145 centos3 i386 File : nvt/gb_CESA-2010_0145_cpio_centos3_i386.nasl
2010-03-22	Name : CentOS Update for cpio CESA-2010:0143 centos4 i386 File : nvt/gb_CESA-2010_0143_cpio_centos4_i386.nasl
2010-03-22	Name : CentOS Update for tar CESA-2010:0142 centos3 i386 File : nvt/gb_CESA-2010_0142_tar_centos3_i386.nasl
2010-03-22	Name : CentOS Update for tar CESA-2010:0141 centos4 i386 File : nvt/gb_CESA-2010_0141_tar_centos4_i386.nasl
2010-02-19	Name : Mandriva Update for mandriva-release MDVA-2010:065 (mandriva-release) File : nvt/gb_mandriva_MDVA_2010_065.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
62950	GNU tar rmt Client lib/rtapelib.c rmt_read__ Function Remote Overflow GNU tar is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap overflow. With a specially crafted response or file, a remote attacker can potentially cause arbitrary code execution.
62857	GNU cpio rmt Client lib/rtapelib.c rmt_read__ Function Remote Overflow GNU cpio is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap overflow. With a specially crafted response or file, a remote attacker can potentially cause arbitrary code execution.

Information Assurance Vulnerability Management (IAVM)

Date	Description
2015-07-16	IAVM : 2015-A-0150 - Multiple Security Vulnerabilities in Juniper Networks CTPView Severity : Category I - VMSKEY : V0061073

Nessus® Vulnerability Scanner

Date	Description
2016-03-08	Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0013_remote.nasl - Type : ACT_GATHER_INFO
2015-01-09	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2456-1.nasl - Type : ACT_GATHER_INFO
2013-11-29	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201311-21.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0145.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0144.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0143.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0142.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0141.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing a security update. File : sl_20100315_tar_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing a security update. File : sl_20100315_cpio_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2011-11-22	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201111-11.nasl - Type : ACT_GATHER_INFO
2010-12-02	Name : The remote SuSE 11 host is missing a security update. File : suse_11_tar-100312.nasl - Type : ACT_GATHER_INFO
2010-12-02	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_cpio-100328.nasl - Type : ACT_GATHER_INFO
2010-10-11	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_tar-6922.nasl - Type : ACT_GATHER_INFO
2010-10-11	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_cpio-6948.nasl - Type : ACT_GATHER_INFO
2010-09-02	Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2010-0013.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-4309.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-4321.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-4302.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-4274.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-4267.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-4306.nasl - Type : ACT_GATHER_INFO
2010-05-11	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0144.nasl - Type : ACT_GATHER_INFO
2010-05-11	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0145.nasl - Type : ACT_GATHER_INFO
2010-05-11	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0143.nasl - Type : ACT_GATHER_INFO
2010-05-11	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0142.nasl - Type : ACT_GATHER_INFO
2010-05-11	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0141.nasl - Type : ACT_GATHER_INFO
2010-05-04	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12603.nasl - Type : ACT_GATHER_INFO
2010-05-01	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12596.nasl - Type : ACT_GATHER_INFO
2010-05-01	Name : The remote openSUSE host is missing a security update. File : suse_11_0_tar-100312.nasl - Type : ACT_GATHER_INFO
2010-05-01	Name : The remote openSUSE host is missing a security update. File : suse_11_1_tar-100312.nasl - Type : ACT_GATHER_INFO
2010-05-01	Name : The remote openSUSE host is missing a security update. File : suse_11_2_tar-100312.nasl - Type : ACT_GATHER_INFO
2010-03-25	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_c175d72f377311df8bb80211d880e350.nasl - Type : ACT_GATHER_INFO
2010-03-24	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-065.nasl - Type : ACT_GATHER_INFO
2010-03-19	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0145.nasl - Type : ACT_GATHER_INFO
2010-03-19	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0143.nasl - Type : ACT_GATHER_INFO
2010-03-19	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0142.nasl - Type : ACT_GATHER_INFO
2010-03-17	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0141.nasl - Type : ACT_GATHER_INFO
2010-03-17	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0144.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:37:06	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	7
CPE ID(s)	39
osvdb(s)	2
Openvas Exploit(s)	19
IAVM(s)	1
Nessus® Exploit(s)	39

	Related
6.8	CVE-2010-0624
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

6.8 - GLSA-201111-11

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU