Bug 183571

Summary: Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: tarAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas, tseaver
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, rh73, rh90, 1, 2, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-05 00:27:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eisenstein 2006-03-02 01:16:25 UTC 
There are two separate issues that affect different subsets of our products.

I. RHL 7.3, RHL 9, FC1 & FC2:  tar archive path traversal issue

   CVE-2005-1918:  "The original patch for a GNU tar directory traversal
   vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses
   an 'incorrect optimization' that allows user-complicit attackers to over-
   write arbitrary files via a crafted tar file, probably involving '/../'
   sequences with a leading '/'."  

   This vulnerability appears to only affect tar-1.13.25 releases, which
   these four distros use.

   Red Hat issued RHSA-2006:0195-01 for RHEL 2.1 and RHEL 3:
   "In 2002, a path traversal flaw was found in the way GNU tar extracted
   archives. A malicious user could create a tar archive that could write
   to arbitrary files to which the user running GNU tar has write access
   (CVE-2002-0399).  Red Hat included a backported security patch to cor-
   rect this issue in Red Hat Enterprise Linux 3, and an erratum for Red
   Hat Enterprise Linux 2.1 users was issued.

   "During internal testing, we discovered that our backported security
   patch contained an incorrect optimization and therefore was not suf-
   ficient to completely correct this vulnerability.  The Common Vulner-
   abilities and Exposures project (cve.mitre.org) assigned the name
   CVE-2005-1918 to this issue."

   Impact:  Low

   Ref:  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0399>
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1918>
         <http://rhn.redhat.com/errata/RHSA-2006-0195.html>


II.  FC3:  GNU tar heap overlfow bug

   CVE-2006-0300:  "Buffer overflow in tar 1.14 through 1.15.90 allows
   user-complicit attackers to cause a denial of service (application
   crash) and possibly execute code via unspecified vectors involving
   PAX extended headers."

   This issue affects FC3 & FC4.

   Red Hat issued RHSA-2006:0232-01 for RHEL 4:
   "Jim Meyering discovered a buffer overflow bug in the way GNU tar
   extracts malformed archives. By tricking a user into extracting a
   malicious tar archive, it is possible to execute arbitrary code as
   the user running tar.  The Common Vulnerabilities and Exposures project
   (cve.mitre.org) assigned the name CVE-2006-0300 to this issue."

   Impact:  Moderate
   
   Ref:  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300>
         <http://rhn.redhat.com/errata/RHSA-2006-0232.html>
Comment 1 Marc Deslauriers 2006-03-09 00:49:36 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

0aaaf5b265850a98ca905e032642c7e7ff882747  7.3/tar-1.13.25-4.7.2.legacy.i386.rpm
42f9320ba41fe16fc6cd6bc96a0cf3d129129ae3  7.3/tar-1.13.25-4.7.2.legacy.src.rpm
a1b8401bcfab5b59ef6485c2f003c99f9d955627  9/tar-1.13.25-11.1.legacy.i386.rpm
e6016d9f7129b9f69e6350f546873c0af8d56aad  9/tar-1.13.25-11.1.legacy.src.rpm
264654e875a63b775da4b24029ece266b04945f3  1/tar-1.13.25-12.1.legacy.i386.rpm
7800fe52d72911d7628d9ddc29587e5c835da741  1/tar-1.13.25-12.1.legacy.src.rpm
3207c5e30b153be417d7ea3ad019e23a2d1072e1  2/tar-1.13.25-14.1.legacy.i386.rpm
050f763b8729c4fdcb2a3e65c6f84fce5c3b4dca  2/tar-1.13.25-14.1.legacy.src.rpm
d0a75ed94d9cfbd9f82e7dba87619f07b239fe1a  3/tar-1.14-5.FC3.1.legacy.i386.rpm
c2ff13c32cfd8eab23ed5143c4085490cacaee75  3/tar-1.14-5.FC3.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/tar-1.13.25-4.7.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/tar-1.13.25-11.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/tar-1.13.25-12.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/tar-1.13.25-14.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/tar-1.14-5.FC3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFED31OLMAs/0C4zNoRAoSIAJ9igVJOX4VbPP/rBd0C+1mpmV/5EACgrZ0N
7WKdL0x7/pedxQdbeHDsPqk=
=pVdu
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-03-09 05:38:15 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2, FC3
 
e6016d9f7129b9f69e6350f546873c0af8d56aad  tar-1.13.25-11.1.legacy.src.rpm
7800fe52d72911d7628d9ddc29587e5c835da741  tar-1.13.25-12.1.legacy.src.rpm
050f763b8729c4fdcb2a3e65c6f84fce5c3b4dca  tar-1.13.25-14.1.legacy.src.rpm
42f9320ba41fe16fc6cd6bc96a0cf3d129129ae3  tar-1.13.25-4.7.2.legacy.src.rpm
c2ff13c32cfd8eab23ed5143c4085490cacaee75  tar-1.14-5.FC3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFED8CEGHbTkzxSL7QRAlK8AKCe9v77ZzjguDoXsiOSJE7edIQD6wCfb4Lw
sLm6/iFv/zZR+zLZbPvkN1w=
=fwta
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2006-03-16 01:29:24 UTC 
Packages were pushed to updates-testing.
Comment 4 Tres Seaver 2006-03-16 04:46:56 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  0caee4057c9325f93ac327e1a4d067fee8b1a744  tar-1.13.25-12.1.legacy.i386.rpm

  - SHA1 checksums and GPG signatures verified.

  - Packages installed cleanly.

  - Tested tar of sample directory before and after, with identical results.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEGO6M+gerLs4ltQ4RApPQAKDVPiTj1gA1hvrk0gej9XrN6b1U4ACeMd/p
543Of4Pk8O2TlIFeFhmo0lA=
=Z9BS
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2006-03-16 05:48:05 UTC 
Thanks!
Comment 6 Pekka Savola 2006-03-16 06:05:23 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK.  Rpm-build-compare.sh on
the binaries also looks OK.  Basic testing OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT
HzHJeJ3x2odgeK9WHvUpA80=
=JUkB
-----END PGP SIGNATURE-----

Timeout shortened to one week.
Comment 7 Tom Yates 2006-03-23 10:52:39 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

df30641462702e447ac80e5e71db048e039cc378  tar-1.13.25-11.1.legacy.i386.rpm

installs OK.  i can't see any easy way to test this in the references i've
read, so can only add that tar works to pack, inventory and unpack using
a selection of my normal flags.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIn9EePtvKV31zw4RAuZbAJ9QGaxn0tIMQioNrzp2/RFRIFYJRQCgw2d8
RK7kbNkqS4oCUfzZPPxJjvM=
=PU4v
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2006-03-23 13:25:34 UTC 
Timeout over.
Comment 9 Marc Deslauriers 2006-04-05 00:27:04 UTC 
Packages were released to updates.