sharutils security update
| Advisory: | RHSA-2005:377-07 |
|---|---|
| Type: | Security Advisory |
| Severity: | Low |
| Issued on: | 2005-04-26 |
| Last updated on: | 2005-04-26 |
| Affected Products: | Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor |
| CVEs (cve.mitre.org): |
CVE-2004-1772 CVE-2004-1773 CVE-2005-0990 |
Details
An updated sharutils package is now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
The sharutils package contains a set of tools for encoding and decoding
packages of files in binary or text format.
A stack based overflow bug was found in the way shar handles the -o option.
If a user can be tricked into running a specially crafted command, it could
lead to arbitrary code execution. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-1772 to this issue.
Please note that this issue does not affect Red Hat Enterprise Linux 4.
Two buffer overflow bugs were found in sharutils. If an attacker can place
a malicious 'wc' command on a victim's machine, or trick a victim into
running a specially crafted command, it could lead to arbitrary code
execution. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1773 to this issue.
A bug was found in the way unshar creates temporary files. A local user
could use symlinks to overwrite arbitrary files the victim running unshar
has write access to. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0990 to this issue.
All users of sharutils should upgrade to this updated package, which
includes backported fixes to correct these issues.
Solution
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
Updated packages
| Red Hat Desktop (v. 3) | |
| SRPMS: | |
| sharutils-4.2.1-16.2.src.rpm | MD5: 06a6b26786f3674b33280441417316c8 |
| IA-32: | |
| sharutils-4.2.1-16.2.i386.rpm | MD5: 3228571c5d375ff8ae96e6f7bf00a046 |
| x86_64: | |
| sharutils-4.2.1-16.2.x86_64.rpm | MD5: 337510c9c7925ed4e916b2733059d35d |
| Red Hat Desktop (v. 4) | |
| SRPMS: | |
| sharutils-4.2.1-22.2.src.rpm | MD5: fb0f041f40c952667fa9e2415bb95481 |
| IA-32: | |
| sharutils-4.2.1-22.2.i386.rpm | MD5: 5528e7145b01b940474eed14da1a4bf5 |
| x86_64: | |
| sharutils-4.2.1-22.2.x86_64.rpm | MD5: 96fa0ac9f458ea3bed71aca056478e91 |
| Red Hat Enterprise Linux AS (v. 2.1) | |
| SRPMS: | |
| sharutils-4.2.1-8.9.x.src.rpm | MD5: 4ff9ccec228d473e8983f60cec4f7bba |
| IA-32: | |
| sharutils-4.2.1-8.9.x.i386.rpm | MD5: a11c9f7ce6ec7e339554f88dd586ca53 |
| IA-64: | |
| sharutils-4.2.1-8.9.x.ia64.rpm | MD5: c80d5a08b52b452b2c11cb7b0dffc59b |
| Red Hat Enterprise Linux AS (v. 3) | |
| SRPMS: | |
| sharutils-4.2.1-16.2.src.rpm | MD5: 06a6b26786f3674b33280441417316c8 |
| IA-32: | |
| sharutils-4.2.1-16.2.i386.rpm | MD5: 3228571c5d375ff8ae96e6f7bf00a046 |
| IA-64: | |
| sharutils-4.2.1-16.2.ia64.rpm | MD5: caa4872797cbb61cbb3d86c9bc6b9c17 |
| PPC: | |
| sharutils-4.2.1-16.2.ppc.rpm | MD5: cf2564b18459cea9958c373396894ecc |
| s390: | |
| sharutils-4.2.1-16.2.s390.rpm | MD5: ee6bb67d0ea5d5d79539437f78f1128f |
| s390x: | |
| sharutils-4.2.1-16.2.s390x.rpm | MD5: 89114c0f739d46695fa787f3227a960c |
| x86_64: | |
| sharutils-4.2.1-16.2.x86_64.rpm | MD5: 337510c9c7925ed4e916b2733059d35d |
| Red Hat Enterprise Linux AS (v. 4) | |
| SRPMS: | |
| sharutils-4.2.1-22.2.src.rpm | MD5: fb0f041f40c952667fa9e2415bb95481 |
| IA-32: | |
| sharutils-4.2.1-22.2.i386.rpm | MD5: 5528e7145b01b940474eed14da1a4bf5 |
| IA-64: | |
| sharutils-4.2.1-22.2.ia64.rpm | MD5: 14609e1cd1f1d403ad562a27ff7090d0 |
| PPC: | |
| sharutils-4.2.1-22.2.ppc.rpm | MD5: 83ae1ab7519ccd7905256da2319e006e |
| s390: | |
| sharutils-4.2.1-22.2.s390.rpm | MD5: f81531770bdd340cf5bd39ebed7c211b |
| s390x: | |
| sharutils-4.2.1-22.2.s390x.rpm | MD5: c68d22a3a01ad42d71b7d34b35a49896 |
| x86_64: | |
| sharutils-4.2.1-22.2.x86_64.rpm | MD5: 96fa0ac9f458ea3bed71aca056478e91 |
| Red Hat Enterprise Linux ES (v. 2.1) | |
| SRPMS: | |
| sharutils-4.2.1-8.9.x.src.rpm | MD5: 4ff9ccec228d473e8983f60cec4f7bba |
| IA-32: | |
| sharutils-4.2.1-8.9.x.i386.rpm | MD5: a11c9f7ce6ec7e339554f88dd586ca53 |
| Red Hat Enterprise Linux ES (v. 3) | |
| SRPMS: | |
| sharutils-4.2.1-16.2.src.rpm | MD5: 06a6b26786f3674b33280441417316c8 |
| IA-32: | |
| sharutils-4.2.1-16.2.i386.rpm | MD5: 3228571c5d375ff8ae96e6f7bf00a046 |
| IA-64: | |
| sharutils-4.2.1-16.2.ia64.rpm | MD5: caa4872797cbb61cbb3d86c9bc6b9c17 |
| x86_64: | |
| sharutils-4.2.1-16.2.x86_64.rpm | MD5: 337510c9c7925ed4e916b2733059d35d |
| Red Hat Enterprise Linux ES (v. 4) | |
| SRPMS: | |
| sharutils-4.2.1-22.2.src.rpm | MD5: fb0f041f40c952667fa9e2415bb95481 |
| IA-32: | |
| sharutils-4.2.1-22.2.i386.rpm | MD5: 5528e7145b01b940474eed14da1a4bf5 |
| IA-64: | |
| sharutils-4.2.1-22.2.ia64.rpm | MD5: 14609e1cd1f1d403ad562a27ff7090d0 |
| x86_64: | |
| sharutils-4.2.1-22.2.x86_64.rpm | MD5: 96fa0ac9f458ea3bed71aca056478e91 |
| Red Hat Enterprise Linux WS (v. 2.1) | |
| SRPMS: | |
| sharutils-4.2.1-8.9.x.src.rpm | MD5: 4ff9ccec228d473e8983f60cec4f7bba |
| IA-32: | |
| sharutils-4.2.1-8.9.x.i386.rpm | MD5: a11c9f7ce6ec7e339554f88dd586ca53 |
| Red Hat Enterprise Linux WS (v. 3) | |
| SRPMS: | |
| sharutils-4.2.1-16.2.src.rpm | MD5: 06a6b26786f3674b33280441417316c8 |
| IA-32: | |
| sharutils-4.2.1-16.2.i386.rpm | MD5: 3228571c5d375ff8ae96e6f7bf00a046 |
| IA-64: | |
| sharutils-4.2.1-16.2.ia64.rpm | MD5: caa4872797cbb61cbb3d86c9bc6b9c17 |
| x86_64: | |
| sharutils-4.2.1-16.2.x86_64.rpm | MD5: 337510c9c7925ed4e916b2733059d35d |
| Red Hat Enterprise Linux WS (v. 4) | |
| SRPMS: | |
| sharutils-4.2.1-22.2.src.rpm | MD5: fb0f041f40c952667fa9e2415bb95481 |
| IA-32: | |
| sharutils-4.2.1-22.2.i386.rpm | MD5: 5528e7145b01b940474eed14da1a4bf5 |
| IA-64: | |
| sharutils-4.2.1-22.2.ia64.rpm | MD5: 14609e1cd1f1d403ad562a27ff7090d0 |
| x86_64: | |
| sharutils-4.2.1-22.2.x86_64.rpm | MD5: 96fa0ac9f458ea3bed71aca056478e91 |
| Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor | |
| SRPMS: | |
| sharutils-4.2.1-8.9.x.src.rpm | MD5: 4ff9ccec228d473e8983f60cec4f7bba |
| IA-64: | |
| sharutils-4.2.1-8.9.x.ia64.rpm | MD5: c80d5a08b52b452b2c11cb7b0dffc59b |
| (The unlinked packages above are only available from the Red Hat Network) | |
Bugs fixed (see bugzilla for more information)
152571 - CAN-2004-1772 buffer overflow with -o option
152573 - CAN-2004-1773 Buffer overflows in unshar
154049 - CAN-2005-0990 insecure temp file usage
References
https://www.redhat.com/security/data/cve/CVE-2004-1773.html
https://www.redhat.com/security/data/cve/CVE-2005-0990.html
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
