[mdlug] Fwd: tar advisory

Clinton V. Weiss cvweiss at gmail.com
Sun Aug 26 09:51:35 EDT 2007


Wow, that goes directly against my argument then.  I should have looked
closer myself.

Now one has to ask, why aren't these other distributions on top of things?
If this newer version was released over a year ago then it should be fairly
easy to include that version.  I'm not familiar with the packaging of those
distributions, so I'm making a wide assumption.

On 8/25/07, Mark Thuemmel <ldaphelp at thuemmel.com> wrote:
>
> Upon closer examination I'm guessing it is really because this was fixed
> back in 2006-10-21 with version 1.16.  My Ubuntu box shows 1.16
> installed and the Security Focus page only shows up to GNU tar 1.15.91
> vulnerable.
>
> I also see a patch at
> https://bugzilla.redhat.com/attachment.cgi?id=161175 dated 2005-05-15
> that appears to fix this.
>
> I've not seen anything to demonstrate what is "new", maybe I'm looking
> at the wrong stuff.
>
> Weird how Security Focus has an empty list for "not vulnerable".  Just
> seems they caught Redhat and Mandriva with not the latest TAR.
>
> Makes me think it would be trivial to pick any gnu utility at random,
> look at their bug fixes for a serious one, then check distributions to
> see if they still had that one, then publish a "new vulnerability".
>
> Looks like RedHat Network is getting a patch out now.  I don't know if
> this is old RedHat versions or what.
>
> Overall you still don't seem to overwrite anything the user can't
> already overwrite.
>
>
>
>
> Clinton V. Weiss wrote:
> > Ubuntu is based on Debian.  These both use older, tested by time,
> > versions of everything.  Unless of course you use Debian's unstable
> > branch, but then you might just be asking for trouble - hence the name
> > unstable.
>
> Mark Thuemmel wrote:
> > how come Debian or Ubuntu are not on the affected list?  The GNU tar
> > home page does not seem to say anything either?
> >
>
> http://www.securityfocus.com/bid/25417
>
>
> Begin forwarded message:
>
>     From: "Carl T. Miller" <millerc at cantonpl.org>
>     Date: August 24, 2007 9:09:39 AM EST
>     To: "MDLUG List" <mdlug at mdlug.org>
>     Subject: [mdlug] tar advisory
>     Reply-To: "MDLUG's Main discussion list" <mdlug at mdlug.org>
>
>     Does anyone know more about the newly discover problem with
>     tar? I just read the description from Red Hat for the new
>     version of tar, and it said someone could craft a tar archive
>     to extract files to an arbitrary location with the permissions
>     of the user.
>
>     Near as I know nobody is exploiting this. But it would be
>     good to make sure you have the latest version of tar on your
>     hosts. And if you're running an unsupported version of Linux,
>     don't extract unknown tarballs as root. Extract them first as
>     a user, then take a look at them.
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
>



-- 
Clinton V. Weiss
cvweiss at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mdlug.org/pipermail/mdlug/attachments/20070826/e68b56f5/attachment-0001.html>


More information about the mdlug mailing list