Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-5325

Published: 7 August 2017

Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.

Notes

AuthorNote
mdeslaur 
bionic only contains first commit
adding the second commit to bionic introduced a regression in
debootstrep, see LP: #1737662
new third commit mostly reverses second commit
two new commits are now available that possibly fix further
symlink issues

Priority

Low

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
busybox
Launchpad, Ubuntu, Debian 		artful Ignored
(end of life)
bionic
Released (1:1.27.2-2ubuntu3)
cosmic
Released (1:1.27.2-2ubuntu3)
disco
Released (1:1.27.2-2ubuntu3)
eoan
Released (1:1.27.2-2ubuntu3)
focal
Released (1:1.27.2-2ubuntu3)
groovy
Released (1:1.27.2-2ubuntu3)
hirsute
Released (1:1.27.2-2ubuntu3)
precise Ignored
(end of life)
trusty
Released (1:1.21.0-1ubuntu1.4)
upstream
Released (1:1.27.2-1)
vivid Ignored
(end of life)
wily Ignored
(end of life)
xenial
Released (1:1.22.0-15ubuntu1.4)
yakkety Ignored
(end of life)
zesty Ignored
(end of life)
Patches:
upstream: https://git.busybox.net/busybox/commit/?id=b920a38dc0a87f5884444d4731a8b887b5e16018
upstream: https://git.busybox.net/busybox/commit/?id=bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7
upstream: https://git.busybox.net/busybox/commit/?id=a84db18fc71d09e801df0ebca048d82e90b32c6a
upstream: https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403
upstream: https://git.busybox.net/busybox/commit/?id=dd56921e2d404c8fc9484290a36411a13d14df1a

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading