[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fedora] Schwachstelle in GNU tar - FEDORA-2007-2673

To: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [Fedora] Schwachstelle in GNU tar - FEDORA-2007-2673
From: WiN Site Security Contacts <win-sec-ssc@xxxxxxxxxxxxxxxxx>
Date: Tue, 30 Oct 2007 12:14:40 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2007-4476 - Buffer Overflow in der GNU tar Funktion
safer_name_suffix()

  Aufgrund eines nicht naeher beschriebenen Fehlers in der Funktion
  safer_name_suffix() kann in GNU tar ein Biffer Overflow ausgeloest und
  das Programm zum Absturz gebracht werden (Denial of Service).

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket tar

  Fedora 7

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00370.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
   Andreas Bunten, DFN-CERT
- -- 
Andreas Bunten (CSIRT), +49 40 808077-555

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2673
2007-10-29 19:02:31.281371
- --------------------------------------------------------------------------------

Name        : tar
Product     : Fedora 7
Version     : 1.15.1
Release     : 28.fc7
URL         : http://www.gnu.org/software/tar/
Summary     : A GNU file archiving program
Description :
The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive. Tar
can also be used to add supplemental files to an archive and to update
or list files in the archive. Tar includes multivolume support,
automatic archive compression/decompression, the ability to perform
remote archives, and the ability to perform incremental and full
backups.

If you want to use tar for remote backups, you also need to install
the rmt package.

- --------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 24 2007 Radek Brich <rbrich@xxxxxxxxxx> 2:1.15.1-28
- - backported upstream patch for CVE-2007-4476
  (tar stack crashing in safer_name_suffix)
* Tue Aug 28 2007 Radek Brich <rbrich@xxxxxxxxxx> 2:1.15.1-27
- - fixed CVE-2007-4131 tar directory traversal vulnerability (#253684)
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #280961 - CVE-2007-4476 tar stack crashing in safer_name_suffix
        https://bugzilla.redhat.com/show_bug.cgi?id=280961
  [ 2 ] CVE-2007-4476
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
- --------------------------------------------------------------------------------
Updated packages:

c09659eac15f8e77065533c34af22253d2a46e53 tar-1.15.1-28.fc7.ppc64.rpm
458b97f6abd1acd618fa562d466a271b22006e6f tar-debuginfo-1.15.1-28.fc7.ppc64.rpm
f813a5b6c36a75318aaecf771101ad2ebd640fa6 tar-1.15.1-28.fc7.i386.rpm
b84314a9e349bc5c2588b6747b06756d565643a9 tar-debuginfo-1.15.1-28.fc7.i386.rpm
eea2f8078c49a09717df1d4f22ed9f7a1f326be2 tar-debuginfo-1.15.1-28.fc7.x86_64.rpm
44bba686adf4a5a2936773253687cdc897495407 tar-1.15.1-28.fc7.x86_64.rpm
848226382b22036efe7206d1114dc7bde6e1c52a tar-1.15.1-28.fc7.ppc.rpm
f6ede3c1738cf39dec8f8fa6732ab0d4cfbb897a tar-debuginfo-1.15.1-28.fc7.ppc.rpm
d7d03d1a399275ff8283344263d392664ef1754e tar-1.15.1-28.fc7.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update tar' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRycSIBYd1iQZmhQQAQE/dggAv0k1JOVUAox9+Lo88fOzu/LOHTQCWDF7
YJ862JUvSUNrnN8Gqij1cfwt3QTMAJE8XQubUJkqgcbWZyn89b0iHpE8WAgHBC9d
O12YOM8BTknNyhyQqCz7Q4vZBcTVw2wbKnD3UQKZgcQ8z0ocklFntOHHNglGjI6y
4/CyZ2VSSptL3FxR8gXFH34RNiE/iaXybGyLUpU/bfc4lVhNM8DtmH3ZnW/L1NeG
wVnN2mZSg+EP9Bk8E/jkBW3+EchqD3FAhLjSS6w7ezf8xNfgG3ivoZHG5QnheoIb
62p3vJgHSiWTuYAZtPUOdezlSxDJ/8hVW2AmPua4HeVnswLMZpF2EA==
=dNuC
-----END PGP SIGNATURE-----

Prev by Date: [Fedora] Schwachtelle in Python bis einschliesslich Version 2.5.1 - FEDORA-2007-2663
Next by Date: [Fedora] Schwachstelle in Subversion bis einschliesslich Version 1.4.3 - FEDORA-2007-2635
Previous by thread: [Fedora] Schwachtelle in Python bis einschliesslich Version 2.5.1 - FEDORA-2007-2663
Next by thread: [Fedora] Schwachstelle in Subversion bis einschliesslich Version 1.4.3 - FEDORA-2007-2635
Index(es):
- Date
- Thread