Debian Security Advisory DSA-1438-1 security (at) debian (dot) org [email concealed]
http://www.debian.org/security/ Florian Weimer
December 28, 2007 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : tar
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4131, CVE-2007-4476
Several vulnerabilities have been discovered in GNU Tar. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-4131
A directory traversal vulnerability enables attackers using
specially crafted archives to extract contents outside the
directory tree created by tar.
CVE-2007-4476
A stack-based buffer overflow in the file name checking code may
lead to arbitrary code execution when processing maliciously
crafted archives.
For the stable distribution (etch), these problems have been fixed in
version 1.16-2etch1.
For the old stable distribution (sarge), these problems have been
fixed in 1.14-2.4.
For the unstable distribution (sid), these problems have been fixed in
version 1.18-2.
We recommend that you upgrade your tar package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 3.1 (oldstable)
- ----------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz
Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4.dsc
Size/MD5 checksum: 846 cbcbbd7c638de842f913ac566c3f0b0a
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4.diff.gz
Size/MD5 checksum: 51869 2675ec9acdf59ba6f0c54e5325675fcf
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_alpha.de
b
Size/MD5 checksum: 533650 c5e87a25f7c6efd0e39647249f889ca3
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_amd64.de
b
Size/MD5 checksum: 504092 64131456790b8bc4b45e341ce0ca6040
arm architecture (ARM)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_arm.deb
Size/MD5 checksum: 502452 1374822a67eafcd4f385b43479225b7b
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_hppa.deb
Size/MD5 checksum: 517962 f8d1d70a5989d1cab377efdc7c821e24
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_i386.deb
Size/MD5 checksum: 500822 3b1099df9c1df15768f8dc568068e02f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_ia64.deb
Size/MD5 checksum: 543620 3026d8ed3c4e9203b3af8e7813a7858c
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_m68k.deb
Size/MD5 checksum: 489264 ec8bab9c3860d11e33b4c5ebef3be8e0
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_mips.deb
Size/MD5 checksum: 520658 9211a627bc4bd7859bf8e3c538abf342
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_mipsel.d
eb
Size/MD5 checksum: 520438 a58746324064e51070a558102a134de3
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_powerpc.
deb
Size/MD5 checksum: 507092 bd57425832d21b0a12843d196c2ba4f0
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_s390.deb
Size/MD5 checksum: 512130 cd095e0a66981c279d8d1ede88c67a60
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_sparc.de
b
Size/MD5 checksum: 499878 062c6de1a4b1b5a0ea9da2926f5d80ec
Debian 4.0 (stable)
- -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1.diff.
gz
Size/MD5 checksum: 31360 96eb9bcd2d8257893a4f530eb00c9da5
http://security.debian.org/pool/updates/main/t/tar/tar_1.16.orig.tar.gz
Size/MD5 checksum: 2199571 d971b9d6114ad0527ef89fab0d3167e0
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1.dsc
Size/MD5 checksum: 871 c7d9d75758a04174348cd65bb7aaab16
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_alpha
.deb
Size/MD5 checksum: 738546 c181b637bb4ed83619c0086bb3d19312
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_amd64
.deb
Size/MD5 checksum: 714108 b7287060cfefae808c694a60f9cb421c
arm architecture (ARM)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_arm.d
eb
Size/MD5 checksum: 671036 c20ed223967ec38af1ddf88d1b49eff9
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_hppa.
deb
Size/MD5 checksum: 695748 69013bb176a94d2ef6d17342728ed3f8
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_i386.
deb
Size/MD5 checksum: 675590 5630796721944b8f6c261628b0f2b18d
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_ia64.
deb
Size/MD5 checksum: 807488 0e4fd97fd5fef6a0b4fd6edba44ec9ca
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_mips.
deb
Size/MD5 checksum: 701392 c627d531a2d02d652a8fb220f90e51e1
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_mipse
l.deb
Size/MD5 checksum: 701162 979cdb4ee29782a1b9fa1d68c5de05ee
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_power
pc.deb
Size/MD5 checksum: 683616 73c25ecbdbf6aac0c814b1b16cdf99ab
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_s390.
deb
Size/MD5 checksum: 694000 2364d67dcc6eb6b160590189fa4553ad
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_sparc
.deb
Size/MD5 checksum: 668548 ec9e0a954b64ca8cbf8af1412870b8d8
These files will probably be moved into the stable distribution on
its next update.
http://www.debian.org/security/ Florian Weimer
December 28, 2007 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : tar
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4131, CVE-2007-4476
Several vulnerabilities have been discovered in GNU Tar. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-4131
A directory traversal vulnerability enables attackers using
specially crafted archives to extract contents outside the
directory tree created by tar.
CVE-2007-4476
A stack-based buffer overflow in the file name checking code may
lead to arbitrary code execution when processing maliciously
crafted archives.
For the stable distribution (etch), these problems have been fixed in
version 1.16-2etch1.
For the old stable distribution (sarge), these problems have been
fixed in 1.14-2.4.
For the unstable distribution (sid), these problems have been fixed in
version 1.18-2.
We recommend that you upgrade your tar package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 3.1 (oldstable)
- ----------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz
Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4.dsc
Size/MD5 checksum: 846 cbcbbd7c638de842f913ac566c3f0b0a
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4.diff.gz
Size/MD5 checksum: 51869 2675ec9acdf59ba6f0c54e5325675fcf
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_alpha.de
b
Size/MD5 checksum: 533650 c5e87a25f7c6efd0e39647249f889ca3
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_amd64.de
b
Size/MD5 checksum: 504092 64131456790b8bc4b45e341ce0ca6040
arm architecture (ARM)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_arm.deb
Size/MD5 checksum: 502452 1374822a67eafcd4f385b43479225b7b
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_hppa.deb
Size/MD5 checksum: 517962 f8d1d70a5989d1cab377efdc7c821e24
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_i386.deb
Size/MD5 checksum: 500822 3b1099df9c1df15768f8dc568068e02f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_ia64.deb
Size/MD5 checksum: 543620 3026d8ed3c4e9203b3af8e7813a7858c
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_m68k.deb
Size/MD5 checksum: 489264 ec8bab9c3860d11e33b4c5ebef3be8e0
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_mips.deb
Size/MD5 checksum: 520658 9211a627bc4bd7859bf8e3c538abf342
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_mipsel.d
eb
Size/MD5 checksum: 520438 a58746324064e51070a558102a134de3
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_powerpc.
deb
Size/MD5 checksum: 507092 bd57425832d21b0a12843d196c2ba4f0
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_s390.deb
Size/MD5 checksum: 512130 cd095e0a66981c279d8d1ede88c67a60
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_sparc.de
b
Size/MD5 checksum: 499878 062c6de1a4b1b5a0ea9da2926f5d80ec
Debian 4.0 (stable)
- -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1.diff.
gz
Size/MD5 checksum: 31360 96eb9bcd2d8257893a4f530eb00c9da5
http://security.debian.org/pool/updates/main/t/tar/tar_1.16.orig.tar.gz
Size/MD5 checksum: 2199571 d971b9d6114ad0527ef89fab0d3167e0
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1.dsc
Size/MD5 checksum: 871 c7d9d75758a04174348cd65bb7aaab16
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_alpha
.deb
Size/MD5 checksum: 738546 c181b637bb4ed83619c0086bb3d19312
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_amd64
.deb
Size/MD5 checksum: 714108 b7287060cfefae808c694a60f9cb421c
arm architecture (ARM)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_arm.d
eb
Size/MD5 checksum: 671036 c20ed223967ec38af1ddf88d1b49eff9
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_hppa.
deb
Size/MD5 checksum: 695748 69013bb176a94d2ef6d17342728ed3f8
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_i386.
deb
Size/MD5 checksum: 675590 5630796721944b8f6c261628b0f2b18d
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_ia64.
deb
Size/MD5 checksum: 807488 0e4fd97fd5fef6a0b4fd6edba44ec9ca
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_mips.
deb
Size/MD5 checksum: 701392 c627d531a2d02d652a8fb220f90e51e1
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_mipse
l.deb
Size/MD5 checksum: 701162 979cdb4ee29782a1b9fa1d68c5de05ee
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_power
pc.deb
Size/MD5 checksum: 683616 73c25ecbdbf6aac0c814b1b16cdf99ab
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_s390.
deb
Size/MD5 checksum: 694000 2364d67dcc6eb6b160590189fa4553ad
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_sparc
.deb
Size/MD5 checksum: 668548 ec9e0a954b64ca8cbf8af1412870b8d8
These files will probably be moved into the stable distribution on
its next update.