Security update for tar SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2874-1 Final 1 1 2016-11-22T13:57:17Z current 2016-11-22T13:57:17Z 2016-11-22T13:57:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tar This update for tar fixes the following issues: - extract files recursively with --files-from [boo#913058] - Fix POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line [boo#1007188] [CVE-2016-6321] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-11/msg00094.html E-Mail link for openSUSE-SU-2016:2874-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 tar-1.28-2.19.1 tar-backup-scripts-1.28-2.19.1 tar-debuginfo-1.28-2.19.1 tar-debugsource-1.28-2.19.1 tar-lang-1.28-2.19.1 tar-tests-1.28-2.19.1 tar-tests-debuginfo-1.28-2.19.1 tar-1.28-2.19.1 as a component of openSUSE 13.2 tar-backup-scripts-1.28-2.19.1 as a component of openSUSE 13.2 tar-debuginfo-1.28-2.19.1 as a component of openSUSE 13.2 tar-debugsource-1.28-2.19.1 as a component of openSUSE 13.2 tar-lang-1.28-2.19.1 as a component of openSUSE 13.2 tar-tests-1.28-2.19.1 as a component of openSUSE 13.2 tar-tests-debuginfo-1.28-2.19.1 as a component of openSUSE 13.2 Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. CVE-2016-6321 openSUSE 13.2:tar-1.28-2.19.1 openSUSE 13.2:tar-backup-scripts-1.28-2.19.1 openSUSE 13.2:tar-debuginfo-1.28-2.19.1 openSUSE 13.2:tar-debugsource-1.28-2.19.1 openSUSE 13.2:tar-lang-1.28-2.19.1 openSUSE 13.2:tar-tests-1.28-2.19.1 openSUSE 13.2:tar-tests-debuginfo-1.28-2.19.1 moderate 2.5 AV:N/AC:H/Au:N/C:N/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-11/msg00094.html https://www.suse.com/security/cve/CVE-2016-6321.html CVE-2016-6321 https://bugzilla.suse.com/1007188 SUSE Bug 1007188