Bug 183571 - Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: tar (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh90, 1, 2, 3
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-01 20:16 EST by David Eisenstein
Modified: 2007-04-18 13:39 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 20:27:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 140589 None None None Never
Red Hat Bugzilla 181772 None None None Never
Red Hat Bugzilla 181773 None None None Never

  None (edit)
Description David Eisenstein 2006-03-01 20:16:25 EST
There are two separate issues that affect different subsets of our products.

I. RHL 7.3, RHL 9, FC1 & FC2:  tar archive path traversal issue

   CVE-2005-1918:  "The original patch for a GNU tar directory traversal
   vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses
   an 'incorrect optimization' that allows user-complicit attackers to over-
   write arbitrary files via a crafted tar file, probably involving '/../'
   sequences with a leading '/'."  

   This vulnerability appears to only affect tar-1.13.25 releases, which
   these four distros use.

   Red Hat issued RHSA-2006:0195-01 for RHEL 2.1 and RHEL 3:
   "In 2002, a path traversal flaw was found in the way GNU tar extracted
   archives. A malicious user could create a tar archive that could write
   to arbitrary files to which the user running GNU tar has write access
   (CVE-2002-0399).  Red Hat included a backported security patch to cor-
   rect this issue in Red Hat Enterprise Linux 3, and an erratum for Red
   Hat Enterprise Linux 2.1 users was issued.

   "During internal testing, we discovered that our backported security
   patch contained an incorrect optimization and therefore was not suf-
   ficient to completely correct this vulnerability.  The Common Vulner-
   abilities and Exposures project (cve.mitre.org) assigned the name
   CVE-2005-1918 to this issue."

   Impact:  Low

   Ref:  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0399>
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1918>
         <http://rhn.redhat.com/errata/RHSA-2006-0195.html>


II.  FC3:  GNU tar heap overlfow bug

   CVE-2006-0300:  "Buffer overflow in tar 1.14 through 1.15.90 allows
   user-complicit attackers to cause a denial of service (application
   crash) and possibly execute code via unspecified vectors involving
   PAX extended headers."

   This issue affects FC3 & FC4.

   Red Hat issued RHSA-2006:0232-01 for RHEL 4:
   "Jim Meyering discovered a buffer overflow bug in the way GNU tar
   extracts malformed archives. By tricking a user into extracting a
   malicious tar archive, it is possible to execute arbitrary code as
   the user running tar.  The Common Vulnerabilities and Exposures project
   (cve.mitre.org) assigned the name CVE-2006-0300 to this issue."

   Impact:  Moderate
   
   Ref:  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300>
         <http://rhn.redhat.com/errata/RHSA-2006-0232.html>
Comment 1 Marc Deslauriers 2006-03-08 19:49:36 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

0aaaf5b265850a98ca905e032642c7e7ff882747  7.3/tar-1.13.25-4.7.2.legacy.i386.rpm
42f9320ba41fe16fc6cd6bc96a0cf3d129129ae3  7.3/tar-1.13.25-4.7.2.legacy.src.rpm
a1b8401bcfab5b59ef6485c2f003c99f9d955627  9/tar-1.13.25-11.1.legacy.i386.rpm
e6016d9f7129b9f69e6350f546873c0af8d56aad  9/tar-1.13.25-11.1.legacy.src.rpm
264654e875a63b775da4b24029ece266b04945f3  1/tar-1.13.25-12.1.legacy.i386.rpm
7800fe52d72911d7628d9ddc29587e5c835da741  1/tar-1.13.25-12.1.legacy.src.rpm
3207c5e30b153be417d7ea3ad019e23a2d1072e1  2/tar-1.13.25-14.1.legacy.i386.rpm
050f763b8729c4fdcb2a3e65c6f84fce5c3b4dca  2/tar-1.13.25-14.1.legacy.src.rpm
d0a75ed94d9cfbd9f82e7dba87619f07b239fe1a  3/tar-1.14-5.FC3.1.legacy.i386.rpm
c2ff13c32cfd8eab23ed5143c4085490cacaee75  3/tar-1.14-5.FC3.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/tar-1.13.25-4.7.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/tar-1.13.25-11.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/tar-1.13.25-12.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/tar-1.13.25-14.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/tar-1.14-5.FC3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFED31OLMAs/0C4zNoRAoSIAJ9igVJOX4VbPP/rBd0C+1mpmV/5EACgrZ0N
7WKdL0x7/pedxQdbeHDsPqk=
=pVdu
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-03-09 00:38:15 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2, FC3
 
e6016d9f7129b9f69e6350f546873c0af8d56aad  tar-1.13.25-11.1.legacy.src.rpm
7800fe52d72911d7628d9ddc29587e5c835da741  tar-1.13.25-12.1.legacy.src.rpm
050f763b8729c4fdcb2a3e65c6f84fce5c3b4dca  tar-1.13.25-14.1.legacy.src.rpm
42f9320ba41fe16fc6cd6bc96a0cf3d129129ae3  tar-1.13.25-4.7.2.legacy.src.rpm
c2ff13c32cfd8eab23ed5143c4085490cacaee75  tar-1.14-5.FC3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFED8CEGHbTkzxSL7QRAlK8AKCe9v77ZzjguDoXsiOSJE7edIQD6wCfb4Lw
sLm6/iFv/zZR+zLZbPvkN1w=
=fwta
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2006-03-15 20:29:24 EST
Packages were pushed to updates-testing.
Comment 4 Tres Seaver 2006-03-15 23:46:56 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  0caee4057c9325f93ac327e1a4d067fee8b1a744  tar-1.13.25-12.1.legacy.i386.rpm

  - SHA1 checksums and GPG signatures verified.

  - Packages installed cleanly.

  - Tested tar of sample directory before and after, with identical results.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEGO6M+gerLs4ltQ4RApPQAKDVPiTj1gA1hvrk0gej9XrN6b1U4ACeMd/p
543Of4Pk8O2TlIFeFhmo0lA=
=Z9BS
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2006-03-16 00:48:05 EST
Thanks!
Comment 6 Pekka Savola 2006-03-16 01:05:23 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK.  Rpm-build-compare.sh on
the binaries also looks OK.  Basic testing OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT
HzHJeJ3x2odgeK9WHvUpA80=
=JUkB
-----END PGP SIGNATURE-----

Timeout shortened to one week.
Comment 7 Tom Yates 2006-03-23 05:52:39 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

df30641462702e447ac80e5e71db048e039cc378  tar-1.13.25-11.1.legacy.i386.rpm

installs OK.  i can't see any easy way to test this in the references i've
read, so can only add that tar works to pack, inventory and unpack using
a selection of my normal flags.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIn9EePtvKV31zw4RAuZbAJ9QGaxn0tIMQioNrzp2/RFRIFYJRQCgw2d8
RK7kbNkqS4oCUfzZPPxJjvM=
=PU4v
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2006-03-23 08:25:34 EST
Timeout over.
Comment 9 Marc Deslauriers 2006-04-04 20:27:04 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.