PT-2016-3297 · Gnu+3 · Gnu Tar+3

Harry Sintonen

Published

2015-10-09

Updated

2025-08-06

CVE-2016-6321

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions GNU tar versions 1.14 through 1.29

Description The issue is related to a directory traversal vulnerability in the safer name suffix function. This vulnerability might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file name parameter. The vulnerability exists due to incorrect limitation of the path name to a directory with limited access.

Recommendations For GNU tar versions 1.14 through 1.29, consider updating to a version that contains a fix for this issue. As a temporary workaround, restrict access to the safer name suffix function to minimize the risk of exploitation. Avoid using the file name parameter in affected functions until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2015-1845

ALT-PU-2017-1324

BDU:2019-03749

CVE-2016-6321

DLA-690-1

DSA-3702-1

MGASA-2016-0386

OPENSUSE-SU-2024:10382-1

SUSE-SU-2016:2895-1

SUSE-SU-2016:2896-1

SUSE-SU-2016_2895-1

SUSE-SU-2016_2896-1

USN-3132-1

Affected Products

Alt Linux

Gnu Tar

Suse

Ubuntu

PT-2016-3297 · Gnu+3 · Gnu Tar+3

CVE-2016-6321

Weakness Enumeration

Related Identifiers

Affected Products

References · 41