Wow, that goes directly against my argument then. I should have looked closer myself.<br><br>Now one has to ask, why aren't these other distributions on top of things? If this newer version was released over a year ago then it should be fairly easy to include that version. I'm not familiar with the packaging of those distributions, so I'm making a wide assumption.
<br><br><div><span class="gmail_quote">On 8/25/07, <b class="gmail_sendername">Mark Thuemmel</b> <<a href="mailto:ldaphelp@thuemmel.com">ldaphelp@thuemmel.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Upon closer examination I'm guessing it is really because this was fixed<br>back in 2006-10-21 with version 1.16. My Ubuntu box shows 1.16<br>installed and the Security Focus page only shows up to GNU tar 1.15.91<br>
vulnerable.<br><br>I also see a patch at<br><a href="https://bugzilla.redhat.com/attachment.cgi?id=161175">https://bugzilla.redhat.com/attachment.cgi?id=161175</a> dated 2005-05-15<br>that appears to fix this.<br><br>I've not seen anything to demonstrate what is "new", maybe I'm looking
<br>at the wrong stuff.<br><br>Weird how Security Focus has an empty list for "not vulnerable". Just<br>seems they caught Redhat and Mandriva with not the latest TAR.<br><br>Makes me think it would be trivial to pick any gnu utility at random,
<br>look at their bug fixes for a serious one, then check distributions to<br>see if they still had that one, then publish a "new vulnerability".<br><br>Looks like RedHat Network is getting a patch out now. I don't know if
<br>this is old RedHat versions or what.<br><br>Overall you still don't seem to overwrite anything the user can't<br>already overwrite.<br><br><br><br><br>Clinton V. Weiss wrote:<br>> Ubuntu is based on Debian. These both use older, tested by time,
<br>> versions of everything. Unless of course you use Debian's unstable<br>> branch, but then you might just be asking for trouble - hence the name<br>> unstable.<br><br>Mark Thuemmel wrote:<br>> how come Debian or Ubuntu are not on the affected list? The GNU tar
<br>> home page does not seem to say anything either?<br>><br><br><a href="http://www.securityfocus.com/bid/25417">http://www.securityfocus.com/bid/25417</a><br><br><br>Begin forwarded message:<br><br> From: "Carl T. Miller" <
<a href="mailto:millerc@cantonpl.org">millerc@cantonpl.org</a>><br> Date: August 24, 2007 9:09:39 AM EST<br> To: "MDLUG List" <<a href="mailto:mdlug@mdlug.org">mdlug@mdlug.org</a>><br> Subject: [mdlug] tar advisory
<br> Reply-To: "MDLUG's Main discussion list" <<a href="mailto:mdlug@mdlug.org">mdlug@mdlug.org</a>><br><br> Does anyone know more about the newly discover problem with<br> tar? I just read the description from Red Hat for the new
<br> version of tar, and it said someone could craft a tar archive<br> to extract files to an arbitrary location with the permissions<br> of the user.<br><br> Near as I know nobody is exploiting this. But it would be
<br> good to make sure you have the latest version of tar on your<br> hosts. And if you're running an unsupported version of Linux,<br> don't extract unknown tarballs as root. Extract them first as<br> a user, then take a look at them.
<br>_______________________________________________<br>mdlug mailing list<br><a href="mailto:mdlug@mdlug.org">mdlug@mdlug.org</a><br><a href="http://mdlug.org/mailman/listinfo/mdlug">http://mdlug.org/mailman/listinfo/mdlug
</a><br></blockquote></div><br><br clear="all"><br>-- <br>Clinton V. Weiss<br><a href="mailto:cvweiss@gmail.com">cvweiss@gmail.com</a>