tar-1.34-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11422 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tar-1.34-2.2 on GA media These are all security issues fixed in the tar-1.34-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11422 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11422 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2001-1267/ SUSE CVE CVE-2001-1267 page https://www.suse.com/security/cve/CVE-2002-0399/ SUSE CVE CVE-2002-0399 page https://www.suse.com/security/cve/CVE-2005-1918/ SUSE CVE CVE-2005-1918 page https://www.suse.com/security/cve/CVE-2006-0300/ SUSE CVE CVE-2006-0300 page https://www.suse.com/security/cve/CVE-2006-6097/ SUSE CVE CVE-2006-6097 page https://www.suse.com/security/cve/CVE-2018-20482/ SUSE CVE CVE-2018-20482 page https://www.suse.com/security/cve/CVE-2019-9923/ SUSE CVE CVE-2019-9923 page openSUSE Tumbleweed tar-1.34-2.2 tar-backup-scripts-1.34-2.2 tar-doc-1.34-2.2 tar-lang-1.34-2.2 tar-rmt-1.34-2.2 tar-tests-1.34-2.2 tar-1.34-2.2 as a component of openSUSE Tumbleweed tar-backup-scripts-1.34-2.2 as a component of openSUSE Tumbleweed tar-doc-1.34-2.2 as a component of openSUSE Tumbleweed tar-lang-1.34-2.2 as a component of openSUSE Tumbleweed tar-rmt-1.34-2.2 as a component of openSUSE Tumbleweed tar-tests-1.34-2.2 as a component of openSUSE Tumbleweed Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot). CVE-2001-1267 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2001-1267.html CVE-2001-1267 https://bugzilla.suse.com/1203750 SUSE Bug 1203750 https://bugzilla.suse.com/299738 SUSE Bug 299738 https://bugzilla.suse.com/299745 SUSE Bug 299745 https://bugzilla.suse.com/299747 SUSE Bug 299747 Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) "/.." or (2) "./.." string, which removes the leading slash but leaves the "..", a variant of CVE-2001-1267. CVE-2002-0399 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2002-0399.html CVE-2002-0399 https://bugzilla.suse.com/145081 SUSE Bug 145081 https://bugzilla.suse.com/299738 SUSE Bug 299738 https://bugzilla.suse.com/299745 SUSE Bug 299745 https://bugzilla.suse.com/299747 SUSE Bug 299747 The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/". CVE-2005-1918 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-1918.html CVE-2005-1918 https://bugzilla.suse.com/145081 SUSE Bug 145081 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. CVE-2006-0300 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-0300.html CVE-2006-0300 https://bugzilla.suse.com/151516 SUSE Bug 151516 GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. CVE-2006-6097 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-6097.html CVE-2006-6097 https://bugzilla.suse.com/223185 SUSE Bug 223185 GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). CVE-2018-20482 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20482.html CVE-2018-20482 https://bugzilla.suse.com/1120610 SUSE Bug 1120610 pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. CVE-2019-9923 openSUSE Tumbleweed:tar-1.34-2.2 openSUSE Tumbleweed:tar-backup-scripts-1.34-2.2 openSUSE Tumbleweed:tar-doc-1.34-2.2 openSUSE Tumbleweed:tar-lang-1.34-2.2 openSUSE Tumbleweed:tar-rmt-1.34-2.2 openSUSE Tumbleweed:tar-tests-1.34-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9923.html CVE-2019-9923 https://bugzilla.suse.com/1130496 SUSE Bug 1130496