Full Disclosure mailing list archives
GLSA: tar
From: gem () rellim com (Gary E. Miller)
Date: Tue, 1 Oct 2002 09:40:46 -0700 (PDT)
Yo All! This is a joke, right? And I am too stupid to let trolls alone? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Tue, 1 Oct 2002, Daniel Ahlberg wrote:
Date: Tue, 1 Oct 2002 14:37:48 +0200 From: Daniel Ahlberg <aliz () gentoo org> To: full-disclosure () lists netsys com Subject: [Full-disclosure] GLSA: tar - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------- PACKAGE :tar SUMMARY :directory-traversal vulnerability DATE :2002-10-01 12:30 UTC - -------------------------------------------------------------------- OVERVIEW The tar utility contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction. DETAIL During testing by Redhat of the fix to GNU tar from the advisory below, it was discovered that GNU tar 1.13.25 was still vulnerable to a modified version of the same problem. Read the full original advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running sys-apps/tar-1.13.25-r2 and earlier update their systems as follows: emerge rsync emerge tar emerge clean - -------------------------------------------------------------------- aliz () gentoo org - GnuPG key is available at www.gentoo.org/~aliz - -------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------ Output from gpg ------------ gpg: Signature made Tue Oct 1 05:37:47 2002 PDT using DSA key ID 1529A193 gpg: Good signature from "Daniel Ahlberg <aliz () gentoo org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 5889 0C41 3685 10A8 4702 0602 7D3E E7CA 1529 A193
Current thread:
- GLSA: tar Daniel Ahlberg (Oct 01)
- GLSA: tar Gary E. Miller (Oct 01)