CVE-2016-10173 Minitar CVE debrief

Who should care

Teams running Ruby applications or services that extract TAR archives, especially if they depend on minitar or archive-tar-minitar; package maintainers; security responders responsible for dependency risk review.

Technical summary

NVD classifies the weakness as CWE-22 and lists CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerable ranges in the supplied NVD data are minitar through 0.5.4 and archive-tar-minitar through 0.5.2. The core failure is insufficient path normalization/sanitization during TAR extraction, allowing .. traversal to escape the target directory and overwrite arbitrary files.

Defensive priority

High. The vulnerability requires no privileges and no user interaction, and the integrity impact is high because successful exploitation can overwrite files on disk.

Recommended defensive actions

• Upgrade minitar to a version newer than 0.5.4, or to the first fixed release identified by the upstream patch/advisory.
• Upgrade archive-tar-minitar to a version newer than 0.5.2, or apply the referenced upstream patch if an immediate upgrade is not possible.
• Inventory Ruby dependencies and lockfiles to find transitive use of minitar or archive-tar-minitar.
• Treat TAR archives from untrusted or semi-trusted sources as hostile and validate extraction paths before writing files.
• Review affected hosts for unexpected file changes in locations that archive-extraction workflows could reach.
• Track vendor and distribution advisories referenced in the NVD record for package-specific remediation guidance.

Evidence notes

The supplied NVD record identifies the issue as CWE-22 and lists the vulnerable CPE ranges for minitar (through 0.5.4) and archive-tar-minitar (through 0.5.2). The record also cites an upstream patch commit, Debian, Gentoo, Puppet, SecurityFocus, and an issue reference tagged as Exploit/Third Party Advisory. This debrief uses only the supplied CVE metadata and reference list.

Official resources