Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: tar
Date: Tue, 01 Oct 2002 07:37:49
Message-Id: 20021001123748.085A43477A@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT
6 - - --------------------------------------------------------------------
7
8 PACKAGE        :tar
9 SUMMARY        :directory-traversal vulnerability
10 DATE           :2002-10-01 12:30 UTC
11
12 - - --------------------------------------------------------------------
13
14 OVERVIEW
15
16 The tar utility contain vulnerabilities which can allow
17 arbitrary files to be overwritten during archive extraction.
18
19 DETAIL
20
21 During testing by Redhat of the fix to GNU tar from the advisory below,
22 it was discovered that GNU tar 1.13.25 was still vulnerable to a
23 modified version of the same problem.
24
25 Read the full original advisory at
26 http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2
27
28 SOLUTION
29
30 It is recommended that all Gentoo Linux users who are running
31 sys-apps/tar-1.13.25-r2 and earlier update their systems
32 as follows:
33
34 emerge rsync
35 emerge tar
36 emerge clean
37
38 - - --------------------------------------------------------------------
39 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
40 - - --------------------------------------------------------------------
41 -----BEGIN PGP SIGNATURE-----
42 Version: GnuPG v1.0.7 (GNU/Linux)
43
44 iD8DBQE9mZcbfT7nyhUpoZMRAgTqAJ9TIgnwCf6vABCsQp7fZ/WpHUoCNACdGzJH
45 2yxb1ASJvjfl5ToRzzfJ8oM=
46 =7aPP
47 -----END PGP SIGNATURE-----