Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

GLSA: tar

From: gem () rellim com (Gary E. Miller)
Date: Tue, 1 Oct 2002 09:40:46 -0700 (PDT)
Yo All!

This is a joke, right?  And I am too stupid to let trolls alone?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Tue, 1 Oct 2002, Daniel Ahlberg wrote:


Date: Tue, 1 Oct 2002 14:37:48 +0200
From: Daniel Ahlberg <aliz () gentoo org>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] GLSA: tar

- --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------

PACKAGE        :tar
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 12:30 UTC

- --------------------------------------------------------------------

OVERVIEW

The tar utility contain vulnerabilities which can allow
arbitrary files to be overwritten during archive extraction.

DETAIL

During testing by Redhat of the fix to GNU tar from the advisory below,
it was discovered that GNU tar 1.13.25 was still vulnerable to a
modified version of the same problem.

Read the full original advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/tar-1.13.25-r2 and earlier update their systems
as follows:

emerge rsync
emerge tar
emerge clean

- --------------------------------------------------------------------
aliz () gentoo org - GnuPG key is available at www.gentoo.org/~aliz
- --------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
------------ Output from gpg ------------
gpg: Signature made Tue Oct  1 05:37:47 2002 PDT using DSA key ID 1529A193
gpg: Good signature from "Daniel Ahlberg <aliz () gentoo org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 5889 0C41 3685 10A8 4702  0602 7D3E E7CA 1529 A193
Previous By Date Next
Previous By Thread Next

Current thread: