FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

gtar -- name mangling symlink vulnerability

Affected systems
5.5 < FreeBSD < 5.5_9
4.11 < FreeBSD < 4.11_26

Details

VuXML ID 44449bf7-c69b-11db-9f82-000e0c2e438a
Discovery 2006-12-06
Entry 2007-02-27

Problem Description:

Symlinks created using the "GNUTYPE_NAMES" tar extension can be absolute due to lack of proper sanity checks.

Impact:

If an attacker can get a user to extract a specially crafted tar archive the attacker can overwrite arbitrary files with the permissions of the user running gtar. If file system permissions allow it, this may allow the attacker to overwrite important system file (if gtar is being run as root), or important user configuration files such as .tcshrc or .bashrc, which would allow the attacker to run arbitrary commands.

Workaround:

Use "bsdtar", which is the default tar implementation in FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available in the FreeBSD Ports Collection as ports/archivers/libarchive.

References

CVE Name CVE-2006-6097
FreeBSD Advisory SA-06:26.gtar