subject:"Re\: \[gna\-private\] \[SECURITY\] \[DSA 987\-1\] New tar packages fix arbitrary code execution"

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-15 Thread Moritz Muehlenhoff

Moritz Muehlenhoff wrote:
> This question comes from time to time. If someone wants to write a FAQ entry 
> for
> the Debian Security FAQ, please send it to [EMAIL PROTECTED]

It's now documented in the Debian Security FAQ.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-09 Thread Andrew Vaughan

On Wed, 8 Mar 2006 21:04, Moritz Muehlenhoff wrote:
> Mathieu Roy wrote:
> >> > What does mean
> >> >  local(remote)
> >> >
> >> > Does it means local... or remote?
> >>
> >>   Local.  But remote in the sense that you may receive a .tar file
> >>  from a remote source.
> >
> > Ok, thanks for the input.
> >
> > Looks like oxymoron, a bit confusing though (but I have no proposal for
> > alternative wording).
>
> This question comes from time to time. If someone wants to write a FAQ
> entry for the Debian Security FAQ, please send it to
> [EMAIL PROTECTED]
How about just changing the wording in the DSA to
local, plus files obtained from an untrusted source.

>
> Cheers,
> Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Florian Weimer

* Steve Kemp:

> On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:
>
>> > Package: tar
>> > Vulnerability  : buffer overflow
>> > Problem-Type   : local(remote)
>> 
>> What does mean 
>>  local(remote)
>> 
>> Does it means local... or remote?
>
>   Local.  But remote in the sense that you may receive a .tar file
>  from a remote source.

NVD calls this "user-initiated".  With infrastructure software like
tar, it's hard to tell how it is indirectly exposed to the network, so
the attack range classification does not make much sense (even more
difficult is zlib; tar has got at least a bit of networking support).

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Moritz Muehlenhoff

Mathieu Roy wrote:
>> > What does mean
>> >local(remote)
>> >
>> > Does it means local... or remote?
>>
>>   Local.  But remote in the sense that you may receive a .tar file
>>  from a remote source.
>
> Ok, thanks for the input. 
>
> Looks like oxymoron, a bit confusing though (but I have no proposal for 
> alternative wording).

This question comes from time to time. If someone wants to write a FAQ entry for
the Debian Security FAQ, please send it to [EMAIL PROTECTED]

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Mathieu Roy

Le Mercredi 8 Mars 2006 10:17, Steve Kemp a écrit :
> On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:
> > > Package: tar
> > > Vulnerability  : buffer overflow
> > > Problem-Type   : local(remote)
> >
> > What does mean
> > local(remote)
> >
> > Does it means local... or remote?
>
>   Local.  But remote in the sense that you may receive a .tar file
>  from a remote source.
>

Ok, thanks for the input. 

Looks like oxymoron, a bit confusing though (but I have no proposal for 
alternative wording).



-- 
Mathieu Roy

  +
  | Thalie  :  
  | Clio:    
  | Euterpe : 
  |   
  +---+

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Steve Kemp

On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:

> > Package: tar
> > Vulnerability  : buffer overflow
> > Problem-Type   : local(remote)
> 
> What does mean 
>   local(remote)
> 
> Does it means local... or remote?

  Local.  But remote in the sense that you may receive a .tar file
 from a remote source.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Mathieu Roy

Le Mardi 7 Mars 2006 15:19, Moritz Muehlenhoff a écrit :
> --
> Debian Security Advisory DSA 987-1 [EMAIL PROTECTED]
> http://www.debian.org/security/ Moritz Muehlenhoff
> March 7th, 2006 http://www.debian.org/security/faq
> --
>
> Package: tar
> Vulnerability  : buffer overflow
> Problem-Type   : local(remote)

What does mean 
local(remote)

Does it means local... or remote?

Regards,

-- 
Mathieu Roy

  +-+
  | General Homepage:   http://yeupou.coleumes.org/ |
  | Computing Homepage: http://alberich.coleumes.org/   |
  | Not a native english speaker:   |
  | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |
  +-+

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

7 matches

Site Navigation

Mail list logo

Footer information