CVE-2013-4420

Name
CVE-2013-4420
Description
Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
MLIST https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html
DEBIAN http://www.debian.org/security/2014/dsa-2863

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:feep:libtar:1.2.16:*:*:*:*:*:*:* libtar == None == 1.2.16
cpe:2.3:a:feep:libtar:1.2.17:*:*:*:*:*:*:* libtar == None == 1.2.17
cpe:2.3:a:feep:libtar:1.2.18:*:*:*:*:*:*:* libtar == None == 1.2.18
cpe:2.3:a:feep:libtar:1.2.19:*:*:*:*:*:*:* libtar == None == 1.2.19
cpe:2.3:a:feep:libtar:1.2.11:*:*:*:*:*:*:* libtar == None == 1.2.11
cpe:2.3:a:feep:libtar:1.2.14:*:*:*:*:*:*:* libtar == None == 1.2.14
cpe:2.3:a:feep:libtar:1.2.13:*:*:*:*:*:*:* libtar == None == 1.2.13
cpe:2.3:a:feep:libtar:1.2.15:*:*:*:*:*:*:* libtar == None == 1.2.15
cpe:2.3:a:feep:libtar:*:*:*:*:*:*:*:* libtar >= None <= 1.2.20

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libtar 3.16-community 1.2.20-r0 Maarten van Gompel <proycon@anaproy.nl> possibly vulnerable
libtar 3.17-community 1.2.20-r0 Maarten van Gompel <proycon@anaproy.nl> possibly vulnerable
libtar 3.18-community 1.2.20-r0 Maarten van Gompel <proycon@anaproy.nl> possibly vulnerable