[EMAIL PROTECTED] ([EMAIL PROTECTED]) writes: > --------------------------------------------------------------------- > Red Hat, Inc. Red Hat Security Advisory > > Synopsis: Updated unzip and tar packages fix vulnerabilities > Advisory ID: RHSA-2002:096-24 > Issue date: 2002-05-20 > Updated on: 2002-09-18 > Product: Red Hat Linux > Keywords: unzip tar path unpack > Cross references: > Obsoletes: > CVE Names: CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 > --------------------------------------------------------------------- > > 1. Topic: > > The unzip and tar utilities contain vulnerabilities which can allow > arbitrary files to be overwritten during archive extraction. > > 2. Relevant releases/architectures: > > Red Hat Linux 6.2 - alpha, i386, sparc > Red Hat Linux 7.0 - alpha, i386 > Red Hat Linux 7.1 - alpha, i386, ia64 > Red Hat Linux 7.2 - i386, ia64 > Red Hat Linux 7.3 - i386 > > 3. Problem description: > > The unzip and tar utilities are used for manipulating archives, which > are multiple files stored inside of a single file. > > A directory traversal vulnerability in unzip version 5.42 and earlier, > as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite > arbitrary files during archive extraction via a ".." (dot dot) in an > extracted filename. The Common Vulnerabilities and Exposures project > (cve.mitre.org) has assigned the name CAN-2001-1267 and CAN-2001-1268 to > this issue. > > In addition, unzip version 5.42 and earlier also allows attackers to > overwrite arbitrary files during archive extraction via filenames in the > archive that begin with the "/" (slash) character. The Common > Vulnerabilities and Exposures project (cve.mitre.org) has assigned the > name CAN-2001-1269 to this issue. > > During testing of the fix to GNU tar, it was discovered that GNU tar > 1.13.25 was still vulnerable to a modified version of the same problem. > Red Hat has provided a patch to tar 1.3.25 to correct this problem. The > Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned > the name CAN-2002-0399 to this issue. > > Users of unzip and tar are advised to upgrade to these errata packages, > containing unzip version 5.50 (for Red Hat Linux 6.2, 7, 7.1, and 7.2) and > a patched version of GNU tar 1.13.25 (for Red Hat Linux 6.2, 7, 7.1, 7.2, > and 7.3), which are not vulnerable to these issues. > > Important Note: For users of Red Hat Linux 6.2 and 7 only, these errata > packages change one of the command line options for tar. Previously the > '-I' option was used to enable bzip2 compression, while in these errata > packages the option has changed to '-j'. > > 4. Solution: > > Before applying this update, make sure all previously released errata > relevant to your system have been applied. > > To update all RPMs for your particular architecture, run: > > rpm -Fvh [filenames] > > where [filenames] is a list of the RPMs you wish to upgrade. Only those > RPMs which are currently installed will be updated. Those RPMs which are > not installed but included in the list will not be updated. Note that you > can also use wildcards (*.rpm) if your current directory *only* contains > the desired RPMs. > > Please note that this update is also available via Red Hat Network. Many > people find this an easier way to apply updates. To use Red Hat Network, > launch the Red Hat Update Agent with the following command: > > up2date > > This will start an interactive process that will result in the appropriate > RPMs being upgraded on your system. > > 5. RPMs required: > > Red Hat Linux 6.2: > > SRPMS: > ftp://updates.redhat.com/6.2/en/os/SRPMS/unzip-5.50-1.62.src.rpm > ftp://updates.redhat.com/6.2/en/os/SRPMS/tar-1.13.25-1.6.src.rpm > > alpha: > ftp://updates.redhat.com/6.2/en/os/alpha/unzip-5.50-1.62.alpha.rpm > ftp://updates.redhat.com/6.2/en/os/alpha/tar-1.13.25-1.6.alpha.rpm > > i386: > ftp://updates.redhat.com/6.2/en/os/i386/unzip-5.50-1.62.i386.rpm > ftp://updates.redhat.com/6.2/en/os/i386/tar-1.13.25-1.6.i386.rpm > > sparc: > ftp://updates.redhat.com/6.2/en/os/sparc/unzip-5.50-1.62.sparc.rpm > ftp://updates.redhat.com/6.2/en/os/sparc/tar-1.13.25-1.6.sparc.rpm > > Red Hat Linux 7.0: > > SRPMS: > ftp://updates.redhat.com/7.0/en/os/SRPMS/unzip-5.50-2.src.rpm > ftp://updates.redhat.com/7.0/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > > alpha: > ftp://updates.redhat.com/7.0/en/os/alpha/unzip-5.50-2.alpha.rpm > ftp://updates.redhat.com/7.0/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm > > i386: > ftp://updates.redhat.com/7.0/en/os/i386/unzip-5.50-2.i386.rpm > ftp://updates.redhat.com/7.0/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > > Red Hat Linux 7.1: > > SRPMS: > ftp://updates.redhat.com/7.1/en/os/SRPMS/unzip-5.50-2.src.rpm > ftp://updates.redhat.com/7.1/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > > alpha: > ftp://updates.redhat.com/7.1/en/os/alpha/unzip-5.50-2.alpha.rpm > ftp://updates.redhat.com/7.1/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm > > i386: > ftp://updates.redhat.com/7.1/en/os/i386/unzip-5.50-2.i386.rpm > ftp://updates.redhat.com/7.1/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > > ia64: > ftp://updates.redhat.com/7.1/en/os/ia64/unzip-5.50-2.ia64.rpm > ftp://updates.redhat.com/7.1/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm > > Red Hat Linux 7.2: > > SRPMS: > ftp://updates.redhat.com/7.2/en/os/SRPMS/unzip-5.50-2.src.rpm > ftp://updates.redhat.com/7.2/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > > i386: > ftp://updates.redhat.com/7.2/en/os/i386/unzip-5.50-2.i386.rpm > ftp://updates.redhat.com/7.2/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > > ia64: > ftp://updates.redhat.com/7.2/en/os/ia64/unzip-5.50-2.ia64.rpm > ftp://updates.redhat.com/7.2/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm > > Red Hat Linux 7.3: > > SRPMS: > ftp://updates.redhat.com/7.3/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > > i386: > ftp://updates.redhat.com/7.3/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > > > > 6. Verification: > > MD5 sum Package Name > -------------------------------------------------------------------------- > bb301fb39190fdfbc17f0c8c172f920a 6.2/en/os/SRPMS/tar-1.13.25-1.6.src.rpm > 5dcc6924500aa5f7858ae266a5f8998b 6.2/en/os/SRPMS/unzip-5.50-1.62.src.rpm > fef15632b9bcf32d14356654134c53c5 6.2/en/os/alpha/tar-1.13.25-1.6.alpha.rpm > 2b3d7a3a5ec06ced671e8e338f3e6c4e 6.2/en/os/alpha/unzip-5.50-1.62.alpha.rpm > 81004b0dd856b5e68847d7b3c98df7fc 6.2/en/os/i386/tar-1.13.25-1.6.i386.rpm > 9bae9f9eb1f4465aef6d8e88fc651cbd 6.2/en/os/i386/unzip-5.50-1.62.i386.rpm > ac09b26f328364bcbffef59d92b7544c 6.2/en/os/sparc/tar-1.13.25-1.6.sparc.rpm > a68f875f73dc8551a65018ab46bb28c3 6.2/en/os/sparc/unzip-5.50-1.62.sparc.rpm > 0b54c5bd9400cdedd26bdf64d9e69a80 7.0/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > 2c1387cc558515919e2585b5708fd219 7.0/en/os/SRPMS/unzip-5.50-2.src.rpm > c12063f58936ceb68848530b8e69d304 > 7.0/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm > 25e5cb389451c393a58c8e2755180925 7.0/en/os/alpha/unzip-5.50-2.alpha.rpm > fb5f89ea78abb60d50424dda0ac0db79 > 7.0/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > 877f4fda6198e604b539fb85664a3aad 7.0/en/os/i386/unzip-5.50-2.i386.rpm > 0b54c5bd9400cdedd26bdf64d9e69a80 > 7.1/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > 2c1387cc558515919e2585b5708fd219 7.1/en/os/SRPMS/unzip-5.50-2.src.rpm > c12063f58936ceb68848530b8e69d304 > 7.1/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm > 25e5cb389451c393a58c8e2755180925 7.1/en/os/alpha/unzip-5.50-2.alpha.rpm > fb5f89ea78abb60d50424dda0ac0db79 > 7.1/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > 877f4fda6198e604b539fb85664a3aad 7.1/en/os/i386/unzip-5.50-2.i386.rpm > a8aa3558565507d16f8cb91b6fed5d88 > 7.1/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm > f233de217386e5913b6460d22022dbb6 7.1/en/os/ia64/unzip-5.50-2.ia64.rpm > 0b54c5bd9400cdedd26bdf64d9e69a80 > 7.2/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > 2c1387cc558515919e2585b5708fd219 7.2/en/os/SRPMS/unzip-5.50-2.src.rpm > fb5f89ea78abb60d50424dda0ac0db79 > 7.2/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > 877f4fda6198e604b539fb85664a3aad 7.2/en/os/i386/unzip-5.50-2.i386.rpm > a8aa3558565507d16f8cb91b6fed5d88 > 7.2/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm > f233de217386e5913b6460d22022dbb6 7.2/en/os/ia64/unzip-5.50-2.ia64.rpm > 0b54c5bd9400cdedd26bdf64d9e69a80 > 7.3/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm > fb5f89ea78abb60d50424dda0ac0db79 > 7.3/en/os/i386/tar-1.13.25-4.7.1.i386.rpm > > > These packages are GPG signed by Red Hat, Inc. for security. Our key > is available at: > http://www.redhat.com/about/contact/pgpkey.html > > You can verify each package with the following command: > rpm --checksig <filename> > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the md5sum with the following command: > rpm --checksig --nogpg <filename> > > > 7. References: > > http://online.securityfocus.com/archive/1/196445 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1268 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1269 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0399 > > > Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
