[mdlug] Fwd: tar advisory

Mark Thuemmel ldaphelp at thuemmel.com
Sat Aug 25 16:45:37 EDT 2007


Upon closer examination I'm guessing it is really because this was fixed
back in 2006-10-21 with version 1.16.  My Ubuntu box shows 1.16
installed and the Security Focus page only shows up to GNU tar 1.15.91
vulnerable.

I also see a patch at
https://bugzilla.redhat.com/attachment.cgi?id=161175 dated 2005-05-15
that appears to fix this.

I've not seen anything to demonstrate what is "new", maybe I'm looking
at the wrong stuff.

Weird how Security Focus has an empty list for "not vulnerable".  Just
seems they caught Redhat and Mandriva with not the latest TAR.

Makes me think it would be trivial to pick any gnu utility at random,
look at their bug fixes for a serious one, then check distributions to
see if they still had that one, then publish a "new vulnerability".

Looks like RedHat Network is getting a patch out now.  I don't know if
this is old RedHat versions or what.

Overall you still don't seem to overwrite anything the user can't
already overwrite.




Clinton V. Weiss wrote:
> Ubuntu is based on Debian.  These both use older, tested by time,
> versions of everything.  Unless of course you use Debian's unstable
> branch, but then you might just be asking for trouble - hence the name
> unstable.

Mark Thuemmel wrote:
> how come Debian or Ubuntu are not on the affected list?  The GNU tar
> home page does not seem to say anything either?
>

http://www.securityfocus.com/bid/25417


Begin forwarded message:

    From: "Carl T. Miller" <millerc at cantonpl.org>
    Date: August 24, 2007 9:09:39 AM EST
    To: "MDLUG List" <mdlug at mdlug.org>
    Subject: [mdlug] tar advisory
    Reply-To: "MDLUG's Main discussion list" <mdlug at mdlug.org>

    Does anyone know more about the newly discover problem with
    tar? I just read the description from Red Hat for the new
    version of tar, and it said someone could craft a tar archive
    to extract files to an arbitrary location with the permissions
    of the user.

    Near as I know nobody is exploiting this. But it would be
    good to make sure you have the latest version of tar on your
    hosts. And if you're running an unsupported version of Linux,
    don't extract unknown tarballs as root. Extract them first as
    a user, then take a look at them.



More information about the mdlug mailing list