Imran Ghory

**Name of the Vulnerable Software and Affected Versions** Tar version 1.15.1 **Description** The issue is related to the extraction of setuid or setgid files, where the software does not properly warn the user. This may allow local users or remote attackers to gain privileges. **Recommendations** For Tar version 1.15.1, consider updating to a newer version that addresses this issue, as the current version does not properly handle the extraction of setuid or setgid files, potentially leading to privilege escalation.

**Name of the Vulnerable Software and Affected Versions** Unzip version 5.52 **Description** A race condition exists in Unzip, allowing local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed. This occurs because Unzip changes the permissions of the file after decompression is complete, which can be exploited by creating a hard link to the file being decompressed. **Recommendations** For Unzip version 5.52, consider updating to a newer version that addresses this issue, as using a hard link attack on a file being decompressed can lead to unauthorized permission changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: cpio versions 2.6 and earlier Description: A directory traversal issue allows remote attackers to write to arbitrary directories by including a .. (dot dot) in a cpio file. Recommendations: For cpio versions 2.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cpio versions 2.6 and earlier **Description** A race condition issue allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed. The permissions of the file are changed by cpio after the decompression is complete. **Recommendations** For cpio versions 2.6 and earlier, consider restricting access to the cpio decompression functionality until a patch is available. As a temporary workaround, avoid using cpio for decompressing files that require specific permission settings. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gzip versions 1.2.4 and earlier, 1.3.3 and earlier **Description** A race condition exists when decompressing a gzipped file, allowing local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed. This occurs because gzip changes the permissions of the file after decompression is complete. **Recommendations** For gzip versions 1.2.4 and earlier, and 1.3.3 and earlier, consider updating to a newer version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bzip2 versions 1.0.2 and earlier **Description** A race condition issue exists, allowing local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed. This occurs because the permissions of the file are changed by bzip2 after the decompression is complete. **Recommendations** For bzip2 versions 1.0.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.