04.40.11 CVE: Not Available Platform: Unix Title: GNU Sharutils Multiple Buffer Overflows Description: GNU Sharutils is a set of utilities for creating and manipulating shell archive files. Sharutils is vulnerable to multiple buffer overflow exploits. GNU Sharutils versions 4.2 and 4.2.1 are affected. Ref: http://www.securityfocus.com/advisories/7268 ------- Additional Comments From simon 2004-10-18 05:09:29 ---- Created an attachment (id=887) Redhat 7.3 patch This is a patch for 7.3, packages to follow shortly. - Si ------- Additional Comments From simon 2004-10-18 05:19:37 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test Packages for Redhat 7.3: * Mon Oct 18 2004 Simon Weller <simon> 4.2.1-10.7.x.legacy - - Added patch for shar.c buffer overflow - - Added patch for unshar.c buffer overflow - - Reference: http://www.securityfocus.com/advisories/7268 sha1sum -b shar* fa51df4e8bce98464e6b810f39a452f89cd79910 *sharutils-4.2.1-10.7.x.legacy.i386.rpm e6fc727dab725adf17512c067040a79aa261cfb3 *sharutils-4.2.1-10.7.x.legacy.src.rpm Available here: ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-10.7.x.legacy.i386.rpm ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-10.7.x.legacy.src.rpm - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBc97MMLOCzgCQslsRAqQnAJ9FdfbYdgR7hH6Xw3cAVRQE0xHvegCeJR0L U7n9C60LB+p1EB0pjCX4Nwc= =ep8x -----END PGP SIGNATURE----- ------- Additional Comments From simon 2004-10-18 09:03:53 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test Packages for Redhat 9: * Mon Oct 18 2004 Simon Weller <simon> 4.2.1-15.9.legacy - - Added patch for shar.c buffer overflow - - Added patch for unshar.c buffer overflow - - Reference: http://www.securityfocus.com/advisories/7268 sha1sum: 64513b328136444c7b120f0fc381f37aa6e6a103 *sharutils-4.2.1-15.9.legacy.i386.rpm 24003e1750caa0bbb238e898f74fff1adce33e46 *sharutils-4.2.1-15.9.legacy.src.rpm 2cf0217b26bac759d96da642d8c18d238d4ffd4c *sharutils-debuginfo-4.2.1-15.9.legacy.i386.rpm Available here: ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-15.9.legacy.i386.rpm ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-15.9.legacy.src.rpm ftp://potelweller.com/fedora_legacy/testing/sharutils-debuginfo-4.2.1-15.9.legacy.i386.rpm - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdBORMLOCzgCQslsRAtm5AJ9BJ659AsMnI687LhKCeIEg03Te2ACdFmPa 9u9L/sGoKB7efXisIjyfKos= =TZBw -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-19 16:42:21 ---- Maybe we should check for this too, as it seems it was never included: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230 ------- Additional Comments From simon 2004-10-19 17:50:49 ---- Yep Marc, looks like we've missed that, the patch is certainly not present. New packages that address this will follow shortly. - Si ------- Additional Comments From simon 2004-10-19 17:54:05 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are new test packages for 7.3 and 9: 7.3: %changelog * Tue Oct 19 2004 Simon Weller <simon> 4.2.1-11.7.x.legacy - - Added missed patch for Buffer overflow in handling of -o option - - Reference: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230 * Mon Oct 18 2004 Simon Weller <simon> 4.2.1-10.7.x.legacy - - Added patch for shar.c buffer overflow - - Added patch for unshar.c buffer overflow - - Reference: http://www.securityfocus.com/advisories/7268 sha1sum -b shar* 5ca011f45723ab8923d26bd099e3fcb4dc33b8e0 *sharutils-4.2.1-11.7.x.legacy.i386.rpm 40569945d3821d42803bd8619dcf897f081976bd *sharutils-4.2.1-11.7.x.legacy.src.rpm Available here: ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-11.7.x.legacy.i386.rpm ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-11.7.x.legacy.src.rpm 9: %changelog * Tue Oct 19 2004 Simon Weller <simon> 4.2.1-16.9.legacy - - Added missed patch for Buffer overflow in handling of -o option - - Reference: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230 * Mon Oct 18 2004 Simon Weller <simon> 4.2.1-15.9.legacy - - - Added patch for shar.c buffer overflow - - - Added patch for unshar.c buffer overflow - - - Reference: http://www.securityfocus.com/advisories/7268 sha1sum -b shar* c660dcd67acc570089e998f978991d4e6c6b3979 *sharutils-4.2.1-16.9.legacy.i386.rpm 3655949eff6bb99db484637c75a3b950bcfa1ec2 *sharutils-4.2.1-16.9.legacy.src.rpm 2db779735c0c4f5ae8ed1cbdc4858b3b09921c80 *sharutils-debuginfo-4.2.1-16.9.legacy.i386.rpm Available here: ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-16.9.legacy.i386.rpm ftp://potelweller.com/fedora_legacy/testing/sharutils-4.2.1-16.9.legacy.src.rpm ftp://potelweller.com/fedora_legacy/testing/sharutils-debuginfo-4.2.1-16.9.legacy.i386.rpm - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdeEmMLOCzgCQslsRAkeAAKCxtaCxLN4e4m3PXQeLMSWBp43sjwCfYUs9 sp1aLqL9lzCKZyUD43DR9fg= =mQYt -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2004-10-21 09:18:31 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 packages to QA for FC1: changelog: * Thu Oct 21 2004 Rob Myers <rob.myers.edu> 4.2.1-17.1.legacy - - add patches for multiple buffer overflows (FL #2155) files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/sharutils-4.2.1-17.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/sharutils-4.2.1-17.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/sharutils-debuginfo-4.2.1-17.1.legacy.i386.rpm sha1sums: e5ae2244ec43e51bf726ece3a918dd9b6c63155e sharutils-4.2.1-17.1.legacy.i386.rpm bc03825f410d43702cdb47a7649432453364545a sharutils-4.2.1-17.1.legacy.src.rpm 409f4a0cab64279a65c8231ec05ebf676761f17d sharutils-debuginfo-4.2.1-17.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD4DBQFBeAtTtU2XAt1OWnsRAp+zAJjQVS0C4Gqs6KSsQPa9xKRXe8+iAJ9VSOld hgB2kNOrUNNAOPzOy4ln/A== =Vw8S -----END PGP SIGNATURE----- ------- Additional Comments From josh.kayse.edu 2004-11-16 08:18:08 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: bc03825f410d43702cdb47a7649432453364545a sharutils-4.2.1-17.1.legacy.src.rpm - - does not build without gettext installed - -- should this be repackaged as a BuildPrereq? - - installs cleanly - - runs fine - - spec looks good - - patches look good + PUBLISH? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBmkRZwnUFCSDmt7ERAsI8AJ9kHrvKtJyAv/I6SQIa+zrbFBZmZQCggHDs u80suOjYMXXLD6Of5CQlrs4= =M9RG -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-21 07:08:43 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73 and RHL9 SRPMS: - source files OK - spec file changes minimal - patches verified to match Gentoo (http://bugs.gentoo.org/show_bug.cgi?id=65773) and the latest Red Hat development tree. - recompilation tested on RHL9 only. +PUBLISH RHL9, RHL73 40569945d3821d42803bd8619dcf897f081976bd sharutils-4.2.1-11.7.x.legacy.src.rpm 3655949eff6bb99db484637c75a3b950bcfa1ec2 sharutils-4.2.1-16.9.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFByFhjGHbTkzxSL7QRAojFAJ9gZHD4AcLNJP4/DQBsqwk2B7L10gCcDqv5 RftNwkUgO8ri1TdFodGCv6E= =OIcv -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-09 16:17:49 ---- Packages were pushed to updates-testing. ------- Additional Comments From mschout 2005-02-09 18:18:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verify 7.3 sha1sums: 192306ce2a6cecb89a950040b850f86a28b26998 sharutils-4.2.1-12.7.x.legacy.i386.rpm * rpm --checksig: sharutils-4.2.1-12.7.x.legacy.i386.rpm: md5 gpg OK * packages install with no errors. * appears to work normally. used shar to make a shell archive, and unshar unpacks it properly. +VERIFY RH 7.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCCuBn+CqvSzp9LOwRAq7oAKDDeTz81mjM5KtxvW2jL2wciq9ZaACfdmHt fpeI24Xb4Mh/aJLoNmu4D1o= =dpWo -----END PGP SIGNATURE----- ------- Additional Comments From madhatter 2005-02-10 01:05:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 installed sharutils-4.2.1-16.9.1.legacy.i386.rpm package installs with no errors. appears to work normally. used shar to make a shell archive. unshar unpacks it properly (files sum same). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCCz24ePtvKV31zw4RArGTAKCQZ584Le5rZcKm+sWOKWg/vbOgOwCeIdkQ ZA31YUu+E2hOjTBxwfCcwI4= =8LpB -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2005-03-18 11:20:51 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i did QA on the fc1 sharutils package: 457f8c7a9bc795c5d33bd8bb3e508e2b1e884df0 sharutils-4.2.1-17.2.legacy.i386.rpm sha1sum ok gpg signature ok installs ok unpacks http://www.bitmover.com/bk-client.shar ok +VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCO0SUtU2XAt1OWnsRAtcSAKDPpYoEVNo1BMa042XZi8EJHg7YHgCfX+J1 OfiJJHprSJXrhsP8EC54/hY= =manc -----END PGP SIGNATURE----- ------- Additional Comments From mark.scott 2005-03-22 01:13:29 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on FC1 sharutils package: 457f8c7a9bc795c5d33bd8bb3e508e2b1e884df0 sharutils-4.2.1-17.2.legacy.i386.rpm sha1sum ok gpg sig ok install ok unpacks http://www.bitmover.com/bk-client.shar ok +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCP/2vl2I0fYrP+68RAl7nAJ9DNOQW8rbmwGfKVAlTOFQwPaZ2ngCdG0+S gdXM6iZv7G6pA6ENO/+08q4= =5ywR -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:28 ------- This bug previously known as bug 2155 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2155 Originally filed under the Fedora Legacy product and Package request component. Attachments: Redhat 7.3 patch https://bugzilla.fedora.us/attachment.cgi?action=view&id=887 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Packages fixing this issue were officially released.