{"id":"CVE-2016-6321","details":"Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.","modified":"2026-04-16T01:38:40.212967924Z","published":"2016-12-09T22:59:00.170Z","related":["SUSE-SU-2016:2895-1","SUSE-SU-2016:2896-1","openSUSE-SU-2024:10382-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"ADVISORY","url":"https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3702"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93937"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3132-1"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201611-19"},{"type":"ADVISORY","url":"http://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2016/Oct/96"},{"type":"FIX","url":"http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d"},{"type":"FIX","url":"http://seclists.org/fulldisclosure/2016/Oct/102"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/139370/GNU-tar-1.29-Extract-Pathname-Bypass.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"http://git.savannah.gnu.org/git/tar.git/","events":[{"introduced":"0"},{"last_affected":"95256b3c07fecbacbefbf61d45b2e0634cda42cc"},{"introduced":"0"},{"last_affected":"fb782b023f5510825602f41f41bd56e8948ce8ee"},{"introduced":"0"},{"last_affected":"3352016cf07754706f5b300da9e898c728a52c69"},{"introduced":"0"},{"last_affected":"66ef04d4c8e21b4a160daed7de8bff60d14d3828"},{"introduced":"0"},{"last_affected":"532b2dd31f8cc28c38c369d49b314ad6f9ba1a25"},{"introduced":"0"},{"last_affected":"f572ca0cfb109005deb29de1e299e1ab72f282d2"},{"introduced":"0"},{"last_affected":"e5ef01710ab4be17e8932f196b562244c3842c06"},{"introduced":"0"},{"last_affected":"d3f04456e86b4cce1f863afdc05885f97514412a"},{"introduced":"0"},{"last_affected":"1fb35e737478b9f3bc9cc4c18f2b656f8127f271"},{"introduced":"0"},{"last_affected":"7b57922073a7c21069c5f355549b4d8811881585"},{"introduced":"0"},{"last_affected":"b94eed6d03bd9f34f1d6336af8ea682804eb15b4"},{"introduced":"0"},{"last_affected":"970f999818a52a107a89697666c54397403c09be"},{"introduced":"0"},{"last_affected":"9077de9fa91886697a1294891a8d4e6d17fcd30b"},{"introduced":"0"},{"last_affected":"e8e0b6cb7ac0a7a8d1fb4cb954a8bd8158dded02"},{"introduced":"0"},{"last_affected":"983113b140dbb540923a3112fa27e9f508ff70c5"},{"introduced":"0"},{"last_affected":"ecd700fbfb6c4d04fd67f4fdf9944ff6377ff064"},{"introduced":"0"},{"last_affected":"aea443b9e8ed8f84a3b7c246330aa194f6b7e1ef"},{"introduced":"0"},{"last_affected":"f6c25db5fef8f1e82c7a9e87ed42d311cb1bcb32"},{"introduced":"0"},{"last_affected":"49f3145092b00de0b21bd0b751b6caaa57db4fc4"},{"introduced":"0"},{"last_affected":"b500277de7eeac4893fe6517c38dc417b4a4d976"},{"introduced":"0"},{"last_affected":"20b55f0679d314568ec21ae6db1ea635494e292b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.14"},{"introduced":"0"},{"last_affected":"1.15"},{"introduced":"0"},{"last_affected":"1.15.1"},{"introduced":"0"},{"last_affected":"1.15.90"},{"introduced":"0"},{"last_affected":"1.15.91"},{"introduced":"0"},{"last_affected":"1.16"},{"introduced":"0"},{"last_affected":"1.16.1"},{"introduced":"0"},{"last_affected":"1.17"},{"introduced":"0"},{"last_affected":"1.18"},{"introduced":"0"},{"last_affected":"1.19"},{"introduced":"0"},{"last_affected":"1.20"},{"introduced":"0"},{"last_affected":"1.21"},{"introduced":"0"},{"last_affected":"1.22"},{"introduced":"0"},{"last_affected":"1.23"},{"introduced":"0"},{"last_affected":"1.24"},{"introduced":"0"},{"last_affected":"1.25"},{"introduced":"0"},{"last_affected":"1.26"},{"introduced":"0"},{"last_affected":"1.27"},{"introduced":"0"},{"last_affected":"1.27.1"},{"introduced":"0"},{"last_affected":"1.28"},{"introduced":"0"},{"last_affected":"1.29"}]}},{"type":"GIT","repo":"https://cgit.git.savannah.gnu.org/cgit/tar.git","events":[{"introduced":"0"},{"fixed":"7340f67b9860ea0531c1450e5aa261c50f67165d"}]}],"versions":["alpha_1_13_93","old","release_1_14"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6321.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}