Security update for tar SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2896-1 Final 1 1 2016-11-24T07:37:01Z current 2016-11-24T07:37:01Z 2016-11-24T07:37:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tar This update for tar fixes the following issues: - Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line [bsc#1007188] [CVE-2016-6321] - Fix Amanda integration issue (bsc#913058) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2016-1690,SUSE-SLE-DESKTOP-12-SP2-2016-1690,SUSE-SLE-RPI-12-SP2-2016-1690,SUSE-SLE-SERVER-12-SP1-2016-1690,SUSE-SLE-SERVER-12-SP2-2016-1690 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162896-1/ Link for SUSE-SU-2016:2896-1 https://lists.suse.com/pipermail/sle-security-updates/2016-November/002417.html E-Mail link for SUSE-SU-2016:2896-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1007188 SUSE Bug 1007188 https://bugzilla.suse.com/913058 SUSE Bug 913058 https://www.suse.com/security/cve/CVE-2016-6321/ SUSE CVE CVE-2016-6321 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 tar-1.27.1-11.1 tar-lang-1.27.1-11.1 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP1 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP1 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP2 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP2 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 tar-1.27.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tar-lang-1.27.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. CVE-2016-6321 SUSE Linux Enterprise Desktop 12 SP1:tar-1.27.1-11.1 SUSE Linux Enterprise Desktop 12 SP1:tar-lang-1.27.1-11.1 SUSE Linux Enterprise Desktop 12 SP2:tar-1.27.1-11.1 SUSE Linux Enterprise Desktop 12 SP2:tar-lang-1.27.1-11.1 SUSE Linux Enterprise Server 12 SP1:tar-1.27.1-11.1 SUSE Linux Enterprise Server 12 SP1:tar-lang-1.27.1-11.1 SUSE Linux Enterprise Server 12 SP2:tar-1.27.1-11.1 SUSE Linux Enterprise Server 12 SP2:tar-lang-1.27.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tar-1.27.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tar-lang-1.27.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:tar-1.27.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:tar-lang-1.27.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tar-1.27.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tar-lang-1.27.1-11.1 low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162896-1/ https://www.suse.com/security/cve/CVE-2016-6321.html CVE-2016-6321 https://bugzilla.suse.com/1007188 SUSE Bug 1007188 https://bugzilla.suse.com/1123796 SUSE Bug 1123796