There are two separate issues that affect different subsets of our products. I. RHL 7.3, RHL 9, FC1 & FC2: tar archive path traversal issue CVE-2005-1918: "The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an 'incorrect optimization' that allows user-complicit attackers to over- write arbitrary files via a crafted tar file, probably involving '/../' sequences with a leading '/'." This vulnerability appears to only affect tar-1.13.25 releases, which these four distros use. Red Hat issued RHSA-2006:0195-01 for RHEL 2.1 and RHEL 3: "In 2002, a path traversal flaw was found in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access (CVE-2002-0399). Red Hat included a backported security patch to cor- rect this issue in Red Hat Enterprise Linux 3, and an erratum for Red Hat Enterprise Linux 2.1 users was issued. "During internal testing, we discovered that our backported security patch contained an incorrect optimization and therefore was not suf- ficient to completely correct this vulnerability. The Common Vulner- abilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue." Impact: Low Ref: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0399> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1918> <http://rhn.redhat.com/errata/RHSA-2006-0195.html> II. FC3: GNU tar heap overlfow bug CVE-2006-0300: "Buffer overflow in tar 1.14 through 1.15.90 allows user-complicit attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers." This issue affects FC3 & FC4. Red Hat issued RHSA-2006:0232-01 for RHEL 4: "Jim Meyering discovered a buffer overflow bug in the way GNU tar extracts malformed archives. By tricking a user into extracting a malicious tar archive, it is possible to execute arbitrary code as the user running tar. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0300 to this issue." Impact: Moderate Ref: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300> <http://rhn.redhat.com/errata/RHSA-2006-0232.html>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: 0aaaf5b265850a98ca905e032642c7e7ff882747 7.3/tar-1.13.25-4.7.2.legacy.i386.rpm 42f9320ba41fe16fc6cd6bc96a0cf3d129129ae3 7.3/tar-1.13.25-4.7.2.legacy.src.rpm a1b8401bcfab5b59ef6485c2f003c99f9d955627 9/tar-1.13.25-11.1.legacy.i386.rpm e6016d9f7129b9f69e6350f546873c0af8d56aad 9/tar-1.13.25-11.1.legacy.src.rpm 264654e875a63b775da4b24029ece266b04945f3 1/tar-1.13.25-12.1.legacy.i386.rpm 7800fe52d72911d7628d9ddc29587e5c835da741 1/tar-1.13.25-12.1.legacy.src.rpm 3207c5e30b153be417d7ea3ad019e23a2d1072e1 2/tar-1.13.25-14.1.legacy.i386.rpm 050f763b8729c4fdcb2a3e65c6f84fce5c3b4dca 2/tar-1.13.25-14.1.legacy.src.rpm d0a75ed94d9cfbd9f82e7dba87619f07b239fe1a 3/tar-1.14-5.FC3.1.legacy.i386.rpm c2ff13c32cfd8eab23ed5143c4085490cacaee75 3/tar-1.14-5.FC3.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/tar-1.13.25-4.7.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/tar-1.13.25-11.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/tar-1.13.25-12.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/tar-1.13.25-14.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/tar-1.14-5.FC3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFED31OLMAs/0C4zNoRAoSIAJ9igVJOX4VbPP/rBd0C+1mpmV/5EACgrZ0N 7WKdL0x7/pedxQdbeHDsPqk= =pVdu -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come from RHEL +PUBLISH RHL73, RHL9, FC1, FC2, FC3 e6016d9f7129b9f69e6350f546873c0af8d56aad tar-1.13.25-11.1.legacy.src.rpm 7800fe52d72911d7628d9ddc29587e5c835da741 tar-1.13.25-12.1.legacy.src.rpm 050f763b8729c4fdcb2a3e65c6f84fce5c3b4dca tar-1.13.25-14.1.legacy.src.rpm 42f9320ba41fe16fc6cd6bc96a0cf3d129129ae3 tar-1.13.25-4.7.2.legacy.src.rpm c2ff13c32cfd8eab23ed5143c4085490cacaee75 tar-1.14-5.FC3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFED8CEGHbTkzxSL7QRAlK8AKCe9v77ZzjguDoXsiOSJE7edIQD6wCfb4Lw sLm6/iFv/zZR+zLZbPvkN1w= =fwta -----END PGP SIGNATURE-----
Packages were pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages tested: 0caee4057c9325f93ac327e1a4d067fee8b1a744 tar-1.13.25-12.1.legacy.i386.rpm - SHA1 checksums and GPG signatures verified. - Packages installed cleanly. - Tested tar of sample directory before and after, with identical results. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEGO6M+gerLs4ltQ4RApPQAKDVPiTj1gA1hvrk0gej9XrN6b1U4ACeMd/p 543Of4Pk8O2TlIFeFhmo0lA= =Z9BS -----END PGP SIGNATURE-----
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signature OK, upgrades OK. Rpm-build-compare.sh on the binaries also looks OK. Basic testing OK. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT HzHJeJ3x2odgeK9WHvUpA80= =JUkB -----END PGP SIGNATURE----- Timeout shortened to one week.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 df30641462702e447ac80e5e71db048e039cc378 tar-1.13.25-11.1.legacy.i386.rpm installs OK. i can't see any easy way to test this in the references i've read, so can only add that tar works to pack, inventory and unpack using a selection of my normal flags. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIn9EePtvKV31zw4RAuZbAJ9QGaxn0tIMQioNrzp2/RFRIFYJRQCgw2d8 RK7kbNkqS4oCUfzZPPxJjvM= =PU4v -----END PGP SIGNATURE-----
Timeout over.
Packages were released to updates.