suse · CVE-2016-10729

Quick triage

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2016-10729 severity moderate: SUSE including 3 source package names (amanda-2.5.2.1-188.5.1, permissions, permissions-zypp-plugin), 6 product×package rows across 5 product lines (SUSE Linux Enterprise Module for Basesystem 15 SP2, SUSE Linux Enterprise Server 11 SP1-TERADATA, … (5 product lines)): Fixed 4, Known Not Affected 2.

Description:

An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.