Red Hat 9036 Published by

Fedora Legacy Update Advisory

Synopsis: Updated tar package fixes security issue
Advisory ID: FLSA:183571-1
Issue date: 2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2005-1918
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

An updated tar package that fixes a path traversal flaw is now
available.

The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

In 2002, a path traversal flaw was found in the way GNU tar extracted
archives. A malicious user could create a tar archive that could write
to arbitrary files to which the user running GNU tar has write access
(CVE-2002-0399). A security advisory was released containing a
backported patch.

It was discovered that the backported security patch contained an
incorrect optimization and therefore was not sufficient to completely
correct this vulnerability. The Common Vulnerabilities and Exposures
project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue.

Users of tar should upgrade to this updated package, which contains a
replacement backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183571

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tar-1.13.25-4.7
.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tar-1.13.25-4.7.
2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tar-1.13.25-11.1.
legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/tar-1.13.25-11.1.l
egacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tar-1.13.25-12.1.
legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/tar-1.13.25-12.1.l
egacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tar-1.13.25-14.1.
legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/tar-1.13.25-14.1.l
egacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

57d5b198335bcb254ff49b26b60b2ded6fdc3c29
redhat/7.3/updates/i386/tar-1.13.25-4.7.2.legacy.i386.rpm
aec36c77c75a882b3c44a61fa61c23ff204ef4e5
redhat/7.3/updates/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm

df30641462702e447ac80e5e71db048e039cc378
redhat/9/updates/i386/tar-1.13.25-11.1.legacy.i386.rpm
27e7678d52f44d3872047c5b05c6dfd751c2a806
redhat/9/updates/SRPMS/tar-1.13.25-11.1.legacy.src.rpm

0caee4057c9325f93ac327e1a4d067fee8b1a744
fedora/1/updates/i386/tar-1.13.25-12.1.legacy.i386.rpm
458a1d96fdf8f580b5702a7243f7653d8c581ac6
fedora/1/updates/SRPMS/tar-1.13.25-12.1.legacy.src.rpm

5565230fd52a82671b69a9310883a25f7844b8a6
fedora/2/updates/i386/tar-1.13.25-14.1.legacy.i386.rpm
864f986b64392dacaec2bde2c42339a4e6bd7e35
fedora/2/updates/SRPMS/tar-1.13.25-14.1.legacy.src.rpm


These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1918

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org