News

=========================================================== Ubuntu Security Notice USN-385-1 November 27, 2006 tar vulnerability CVE-2006-6097 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: tar 1.15.1-2ubuntu0.2 Ubuntu 6.06 LTS: tar 1.15.1-2ubuntu2.1 Ubuntu 6.10: tar 1.15.91-2ubuntu0.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.