CVE-2016-6321 — tar - security update

Description

Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.

How to fix CVE-2016-6321

To remediate CVE-2016-6321, upgrade the affected package to a fixed version below.

—upgrade to 1.29-r1 or later
—upgrade to 1.29b-1.1 or later
—upgrade to 1.26+dfsg-0.1+deb7u1 or later
—upgrade to 1.27.1-2+deb8u1 or later

Is CVE-2016-6321 being exploited?

Moderate — EPSS is 14.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

from 0, < 1.29-r1
from 0, < 1.29b-1.1
from 0, < 1.26+dfsg-0.1+deb7u1
from 0, < 1.27.1-2+deb8u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2016-6321
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6321