Executive Summary
Summary | |
---|---|
Title | tar vulnerability |
Informations | |||
---|---|---|---|
Name | USN-709-1 | First vendor Publication | 2009-01-15 |
Vendor | Ubuntu | Last vendor Modification | 2009-01-15 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 7.10: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Dmitry V. Levin discovered a buffer overflow in tar. If a user or automated system were tricked into opening a specially crafted tar file, an attacker could crash tar or possibly execute arbitrary code with the privileges of the user invoking the program. |
Original Source
Url : http://www.ubuntu.com/usn/USN-709-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13929 | |||
Oval ID: | oval:org.mitre.oval:def:13929 | ||
Title: | USN-709-1 -- tar vulnerability | ||
Description: | Dmitry V. Levin discovered a buffer overflow in tar. If a user or automated system were tricked into opening a specially crafted tar file, an attacker could crash tar or possibly execute arbitrary code with the privileges of the user invoking the program. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-709-1 CVE-2007-4476 | Version: | 5 |
Platform(s): | Ubuntu 7.10 Ubuntu 6.06 | Product(s): | tar |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17789 | |||
Oval ID: | oval:org.mitre.oval:def:17789 | ||
Title: | USN-650-1 -- cpio vulnerability | ||
Description: | A buffer overflow was discovered in cpio. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-650-1 CVE-2007-4476 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | cpio |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18211 | |||
Oval ID: | oval:org.mitre.oval:def:18211 | ||
Title: | DSA-1566-1 cpio - programming error | ||
Description: | Dmitry Levin discovered a vulnerability in path handling code used by the cpio archive utility. The weakness could enable a denial of service (crash) or potentially the execution of arbitrary code if a vulnerable version of cpio is used to extract or to list the contents of a maliciously crafted archive. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1566-1 CVE-2007-4476 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | cpio |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20059 | |||
Oval ID: | oval:org.mitre.oval:def:20059 | ||
Title: | DSA-1438-1 tar | ||
Description: | Several vulnerabilities have been discovered in GNU Tar. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1438-1 CVE-2007-4131 CVE-2007-4476 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | tar |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7114 | |||
Oval ID: | oval:org.mitre.oval:def:7114 | ||
Title: | VMware ESX,Service Console update for cpio and tar. | ||
Description: | Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4476 | Version: | 5 |
Platform(s): | VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8098 | |||
Oval ID: | oval:org.mitre.oval:def:8098 | ||
Title: | DSA-1566 cpio -- programming error | ||
Description: | Dmitry Levin discovered a vulnerability in path handling code used by the cpio archive utility. The weakness could enable a denial of service (crash) or potentially the execution of arbitrary code if a vulnerable version of cpio is used to extract or to list the contents of a maliciously crafted archive. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1566 CVE-2007-4476 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | cpio |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8599 | |||
Oval ID: | oval:org.mitre.oval:def:8599 | ||
Title: | Security Vulnerabilities in GNU tar (see gtar(1)) May Lead to Files Being Overwritten, Execution of Arbitrary Code, or a Denial of Service (DoS) | ||
Description: | Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4476 | Version: | 2 |
Platform(s): | Sun Solaris 9 Sun Solaris 10 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9336 | |||
Oval ID: | oval:org.mitre.oval:def:9336 | ||
Title: | Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." | ||
Description: | Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4476 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for tar CESA-2010:0141 centos5 i386 File : nvt/gb_CESA-2010_0141_tar_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for cpio CESA-2010:0144 centos5 i386 File : nvt/gb_CESA-2010_0144_cpio_centos5_i386.nasl |
2010-03-22 | Name : CentOS Update for tar CESA-2010:0141 centos4 i386 File : nvt/gb_CESA-2010_0141_tar_centos4_i386.nasl |
2010-03-22 | Name : RedHat Update for tar RHSA-2010:0141-01 File : nvt/gb_RHSA-2010_0141-01_tar.nasl |
2010-03-22 | Name : RedHat Update for cpio RHSA-2010:0144-01 File : nvt/gb_RHSA-2010_0144-01_cpio.nasl |
2009-10-10 | Name : SLES9: Security update for cpio File : nvt/sles9p5013486.nasl |
2009-06-05 | Name : Ubuntu USN-707-1 (cupsys) File : nvt/ubuntu_707_1.nasl |
2009-04-09 | Name : Mandriva Update for cpio MDKSA-2007:233 (cpio) File : nvt/gb_mandriva_MDKSA_2007_233.nasl |
2009-04-09 | Name : Mandriva Update for tar MDKSA-2007:197 (tar) File : nvt/gb_mandriva_MDKSA_2007_197.nasl |
2009-03-23 | Name : Ubuntu Update for cpio vulnerability USN-650-1 File : nvt/gb_ubuntu_USN_650_1.nasl |
2009-02-27 | Name : Fedora Update for cpio FEDORA-2007-2744 File : nvt/gb_fedora_2007_2744_cpio_fc7.nasl |
2009-02-27 | Name : Fedora Update for cpio FEDORA-2007-742 File : nvt/gb_fedora_2007_742_cpio_fc6.nasl |
2009-02-27 | Name : Fedora Update for tar FEDORA-2007-735 File : nvt/gb_fedora_2007_735_tar_fc6.nasl |
2009-02-27 | Name : Fedora Update for cpio FEDORA-2007-2827 File : nvt/gb_fedora_2007_2827_cpio_fc8.nasl |
2009-02-27 | Name : Fedora Update for tar FEDORA-2007-2800 File : nvt/gb_fedora_2007_2800_tar_fc8.nasl |
2009-02-27 | Name : Fedora Update for tar FEDORA-2007-2673 File : nvt/gb_fedora_2007_2673_tar_fc7.nasl |
2009-01-20 | Name : Ubuntu USN-709-1 (tar) File : nvt/ubuntu_709_1.nasl |
2009-01-20 | Name : Ubuntu USN-708-1 (hplip) File : nvt/ubuntu_708_1.nasl |
2009-01-20 | Name : FreeBSD Ports: gtar File : nvt/freebsd_gtar2.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200711-18 (cpio) File : nvt/glsa_200711_18.nasl |
2008-05-12 | Name : Debian Security Advisory DSA 1566-1 (cpio) File : nvt/deb_1566_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1438-1 (tar) File : nvt/deb_1438_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42149 | GNU tar safer_name_suffix Function Unspecified Overflow |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-07-16 | IAVM : 2015-A-0150 - Multiple Security Vulnerabilities in Juniper Networks CTPView Severity : Category I - VMSKEY : V0061073 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-08 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0013_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0144.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0141.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20100315_tar_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20100315_cpio_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2010-09-02 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2010-0013.nasl - Type : ACT_GATHER_INFO |
2010-05-11 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0144.nasl - Type : ACT_GATHER_INFO |
2010-05-11 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0141.nasl - Type : ACT_GATHER_INFO |
2010-03-17 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0144.nasl - Type : ACT_GATHER_INFO |
2010-03-17 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0141.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-709-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-650-1.nasl - Type : ACT_GATHER_INFO |
2009-01-19 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_0809ce7df67249249b3b7c74bc279b83.nasl - Type : ACT_GATHER_INFO |
2008-05-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1566.nasl - Type : ACT_GATHER_INFO |
2007-12-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1438.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_cpio-4184.nasl - Type : ACT_GATHER_INFO |
2007-11-29 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2007-233.nasl - Type : ACT_GATHER_INFO |
2007-11-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200711-18.nasl - Type : ACT_GATHER_INFO |
2007-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2827.nasl - Type : ACT_GATHER_INFO |
2007-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2800.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-735.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2744.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2673.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-742.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_cpio-4180.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2007-197.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:05:37 |
|