ASA-201611-11 generated external raw

[ASA-201611-11] tar: arbitrary file overwrite
Arch Linux Security Advisory ASA-201611-11 ========================================== Severity: Medium Date : 2016-11-03 CVE-ID : CVE-2016-6321 Package : tar Type : arbitrary file overwrite Remote : Yes Link : Summary ======= The package tar before version 1.29-2 is vulnerable to arbitrary file overwrite. Resolution ========== Upgrade to 1.29-2. # pacman -Syu "tar>=1.29-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== The GNU tar archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name(s) specified on the command line leading to arbitrary overwrite of files and directories inside the target directory. Impact ====== A remote attacker is able to use a specially crafted tar archive that, when extracted by the victim, replaces files and directories regardless of the path name(s) specified. References ==========