An updated star package that fixes a path traversal flaw is now available.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Star is a tar-like archiver. It saves multiple files into a single tape or
disk archive, and can restore individual files from the archive. Star
includes multi-volume support, automatic archive format detection and ACL
A path traversal flaw was discovered in the way star extracted archives. A
malicious user could create a tar archive that would cause star to write to
arbitrary files to which the user running star had write access.
CentOS would like to thank Robert Buchholz for reporting this issue.
As well, this update adds the command line argument "-.." to the CentOS
Enterprise Linux 3 version of star. This allows star to extract files
containing "/../" in their pathname.
Users of star should upgrade to this updated package, which contain
backported patches to correct these issues.