Bug 152813 - GNU Sharutils Multiple Buffer Overflows
GNU Sharutils Multiple Buffer Overflows
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.securityfocus.com/advisori...
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-12 03:04 EDT by John Dalbec
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:25:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:22 EST
04.40.11 CVE: Not Available
Platform: Unix
Title: GNU Sharutils Multiple Buffer Overflows
Description: GNU Sharutils is a set of utilities for creating and
manipulating shell archive files. Sharutils is vulnerable to multiple
buffer overflow exploits. GNU Sharutils versions 4.2 and 4.2.1 are
affected.
Ref: http://www.securityfocus.com/advisories/7268



------- Additional Comments From simon@nzservers.com 2004-10-18 05:09:29 ----

Created an attachment (id=887)
Redhat 7.3 patch

This is a patch for 7.3, packages to follow shortly.

- Si



------- Additional Comments From simon@nzservers.com 2004-10-18 05:19:37 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Test Packages for Redhat 7.3: 
 
* Mon Oct 18 2004 Simon Weller <simon@potelweller.com> 4.2.1-10.7.x.legacy 
- - Added patch for shar.c buffer overflow 
- - Added patch for unshar.c buffer overflow 
- - Reference: http://www.securityfocus.com/advisories/7268 
 
sha1sum -b shar* 
fa51df4e8bce98464e6b810f39a452f89cd79910 
*sharutils-4.2.1-10.7.x.legacy.i386.rpm 
e6fc727dab725adf17512c067040a79aa261cfb3 
*sharutils-4.2.1-10.7.x.legacy.src.rpm 
 
Available here: 
 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-10.7.x.legacy.i386.rpm 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-10.7.x.legacy.src.rpm 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBc97MMLOCzgCQslsRAqQnAJ9FdfbYdgR7hH6Xw3cAVRQE0xHvegCeJR0L 
U7n9C60LB+p1EB0pjCX4Nwc= 
=ep8x 
-----END PGP SIGNATURE----- 



------- Additional Comments From simon@nzservers.com 2004-10-18 09:03:53 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Test Packages for Redhat 9: 
 
* Mon Oct 18 2004 Simon Weller <simon@potelweller.com> 4.2.1-15.9.legacy 
- - Added patch for shar.c buffer overflow 
- - Added patch for unshar.c buffer overflow 
- - Reference: http://www.securityfocus.com/advisories/7268 
 
sha1sum: 
64513b328136444c7b120f0fc381f37aa6e6a103 *sharutils-4.2.1-15.9.legacy.i386.rpm 
24003e1750caa0bbb238e898f74fff1adce33e46 *sharutils-4.2.1-15.9.legacy.src.rpm 
2cf0217b26bac759d96da642d8c18d238d4ffd4c 
*sharutils-debuginfo-4.2.1-15.9.legacy.i386.rpm 
 
 
Available here: 
 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-15.9.legacy.i386.rpm 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-15.9.legacy.src.rpm 
ftp://potelweller.com/fedora_legacy/testing/sharutils-debuginfo-4.2.1-15.9.legacy.i386.rpm 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBdBORMLOCzgCQslsRAtm5AJ9BJ659AsMnI687LhKCeIEg03Te2ACdFmPa 
9u9L/sGoKB7efXisIjyfKos= 
=TZBw 
-----END PGP SIGNATURE----- 



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-19 16:42:21 ----

Maybe we should check for this too, as it seems it was never included:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230




------- Additional Comments From simon@nzservers.com 2004-10-19 17:50:49 ----

Yep Marc, looks like we've missed that, the patch is certainly not present.  
 
New packages that address this will follow shortly. 
 
- Si 



------- Additional Comments From simon@nzservers.com 2004-10-19 17:54:05 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Here are new test packages for 7.3 and 9: 
 
7.3: 
 
%changelog 
* Tue Oct 19 2004 Simon Weller <simon@potelweller.com> 4.2.1-11.7.x.legacy 
- - Added missed patch for Buffer overflow in handling of -o option 
- - Reference: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230 
 
* Mon Oct 18 2004 Simon Weller <simon@potelweller.com> 4.2.1-10.7.x.legacy 
- - Added patch for shar.c buffer overflow 
- - Added patch for unshar.c buffer overflow 
- - Reference: http://www.securityfocus.com/advisories/7268 
 
sha1sum -b shar* 
5ca011f45723ab8923d26bd099e3fcb4dc33b8e0 
*sharutils-4.2.1-11.7.x.legacy.i386.rpm 
40569945d3821d42803bd8619dcf897f081976bd 
*sharutils-4.2.1-11.7.x.legacy.src.rpm 
 
Available here: 
 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-11.7.x.legacy.i386.rpm 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-11.7.x.legacy.src.rpm 
 
9: 
 
%changelog 
* Tue Oct 19 2004 Simon Weller <simon@potelweller.com> 4.2.1-16.9.legacy 
- - Added missed patch for Buffer overflow in handling of -o option 
- - Reference: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230 
 
* Mon Oct 18 2004 Simon Weller <simon@potelweller.com> 4.2.1-15.9.legacy 
- - - Added patch for shar.c buffer overflow 
- - - Added patch for unshar.c buffer overflow 
- - - Reference: http://www.securityfocus.com/advisories/7268 
 
sha1sum -b shar* 
c660dcd67acc570089e998f978991d4e6c6b3979 *sharutils-4.2.1-16.9.legacy.i386.rpm 
3655949eff6bb99db484637c75a3b950bcfa1ec2 *sharutils-4.2.1-16.9.legacy.src.rpm 
2db779735c0c4f5ae8ed1cbdc4858b3b09921c80 
*sharutils-debuginfo-4.2.1-16.9.legacy.i386.rpm 
 
Available here: 
 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-16.9.legacy.i386.rpm 
ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-16.9.legacy.src.rpm 
ftp://potelweller.com/fedora_legacy/testing/sharutils-debuginfo-4.2.1-16.9.legacy.i386.rpm 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBdeEmMLOCzgCQslsRAkeAAKCxtaCxLN4e4m3PXQeLMSWBp43sjwCfYUs9 
sp1aLqL9lzCKZyUD43DR9fg= 
=mQYt 
-----END PGP SIGNATURE----- 



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-21 09:18:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
packages to QA for FC1:
 
changelog:
* Thu Oct 21 2004 Rob Myers <rob.myers@gtri.gatech.edu> 4.2.1-17.1.legacy
- - add patches for multiple buffer overflows (FL #2155)
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/sharutils-4.2.1-17.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/sharutils-4.2.1-17.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/sharutils-debuginfo-4.2.1-17.1.legacy.i386.rpm
 
sha1sums:
e5ae2244ec43e51bf726ece3a918dd9b6c63155e  sharutils-4.2.1-17.1.legacy.i386.rpm
bc03825f410d43702cdb47a7649432453364545a  sharutils-4.2.1-17.1.legacy.src.rpm
409f4a0cab64279a65c8231ec05ebf676761f17d 
sharutils-debuginfo-4.2.1-17.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD4DBQFBeAtTtU2XAt1OWnsRAp+zAJjQVS0C4Gqs6KSsQPa9xKRXe8+iAJ9VSOld
hgB2kNOrUNNAOPzOy4ln/A==
=Vw8S
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse@gtri.gatech.edu 2004-11-16 08:18:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

bc03825f410d43702cdb47a7649432453364545a  sharutils-4.2.1-17.1.legacy.src.rpm

- - does not build without gettext installed
- -- should this be repackaged as a BuildPrereq?
- - installs cleanly
- - runs fine
- - spec looks good
- - patches look good


+ PUBLISH?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBmkRZwnUFCSDmt7ERAsI8AJ9kHrvKtJyAv/I6SQIa+zrbFBZmZQCggHDs
u80suOjYMXXLD6Of5CQlrs4=
=M9RG
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-21 07:08:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73 and RHL9 SRPMS:
 - source files OK
 - spec file changes minimal
 - patches verified to match Gentoo (http://bugs.gentoo.org/show_bug.cgi?id=65773)
   and the latest Red Hat development tree.
 - recompilation tested on RHL9 only.

+PUBLISH RHL9, RHL73 

40569945d3821d42803bd8619dcf897f081976bd  sharutils-4.2.1-11.7.x.legacy.src.rpm
3655949eff6bb99db484637c75a3b950bcfa1ec2  sharutils-4.2.1-16.9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByFhjGHbTkzxSL7QRAojFAJ9gZHD4AcLNJP4/DQBsqwk2B7L10gCcDqv5
RftNwkUgO8ri1TdFodGCv6E=
=OIcv
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-09 16:17:49 ----

Packages were pushed to updates-testing.



------- Additional Comments From mschout@gkg.net 2005-02-09 18:18:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify 7.3

sha1sums:
192306ce2a6cecb89a950040b850f86a28b26998 sharutils-4.2.1-12.7.x.legacy.i386.rpm

* rpm --checksig:
sharutils-4.2.1-12.7.x.legacy.i386.rpm: md5 gpg OK

* packages install with no errors.
* appears to work normally.  used shar to make a shell archive, and unshar
  unpacks it properly.

+VERIFY RH 7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCCuBn+CqvSzp9LOwRAq7oAKDDeTz81mjM5KtxvW2jL2wciq9ZaACfdmHt
fpeI24Xb4Mh/aJLoNmu4D1o=
=dpWo
-----END PGP SIGNATURE-----




------- Additional Comments From madhatter@teaparty.net 2005-02-10 01:05:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
installed sharutils-4.2.1-16.9.1.legacy.i386.rpm
 
package installs with no errors.  appears to work normally.  used shar to
make a shell archive.  unshar unpacks it properly (files sum same).
 
+VERIFY RH9
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFCCz24ePtvKV31zw4RArGTAKCQZ584Le5rZcKm+sWOKWg/vbOgOwCeIdkQ
ZA31YUu+E2hOjTBxwfCcwI4=
=8LpB
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2005-03-18 11:20:51 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

i did QA on the fc1 sharutils package:

457f8c7a9bc795c5d33bd8bb3e508e2b1e884df0  sharutils-4.2.1-17.2.legacy.i386.rpm

sha1sum ok
gpg signature ok
installs ok
unpacks http://www.bitmover.com/bk-client.shar ok

+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCO0SUtU2XAt1OWnsRAtcSAKDPpYoEVNo1BMa042XZi8EJHg7YHgCfX+J1
OfiJJHprSJXrhsP8EC54/hY=
=manc
-----END PGP SIGNATURE-----




------- Additional Comments From mark.scott@csuk-solutions.net 2005-03-22 01:13:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA on FC1 sharutils package:

457f8c7a9bc795c5d33bd8bb3e508e2b1e884df0  sharutils-4.2.1-17.2.legacy.i386.rpm

sha1sum ok
gpg sig ok
install ok
unpacks http://www.bitmover.com/bk-client.shar ok

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCP/2vl2I0fYrP+68RAl7nAJ9DNOQW8rbmwGfKVAlTOFQwPaZ2ngCdG0+S
gdXM6iZv7G6pA6ENO/+08q4=
=5ywR
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2155 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2155
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Redhat 7.3 patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=887

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:25:32 EDT
Packages fixing this issue were officially released.

Note You need to log in before you can comment on or make changes to this bug.