Skip to navigation

Security Advisory Moderate: star security update

Advisory: RHSA-2007:0873-2
Type: Security Advisory
Severity: Moderate
Issued on: 2007-09-04
Last updated on: 2007-09-04
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2007-4134

Details

An updated star package that fixes a path traversal flaw is now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Star is a tar-like archiver. It saves multiple files into a single tape or
disk archive, and can restore individual files from the archive. Star
includes multi-volume support, automatic archive format detection and ACL
support.

A path traversal flaw was discovered in the way star extracted archives. A
malicious user could create a tar archive that would cause star to write to
arbitrary files to which the user running star had write access.
(CVE-2007-4134)

Red Hat would like to thank Robert Buchholz for reporting this issue.

As well, this update adds the command line argument "-.." to the Red Hat
Enterprise Linux 3 version of star. This allows star to extract files
containing "/../" in their pathname.

Users of star should upgrade to this updated package, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
star-1.5a08-5.src.rpm     MD5: eb60c4d98794cc4331db4853ef4ddffb
 
IA-32:
star-1.5a08-5.i386.rpm     MD5: 8d0acc63d8b6581d31a47898ec0f3408
 
x86_64:
star-1.5a08-5.x86_64.rpm     MD5: 602b1f975b422178fa2a15db98c88b01
 
Red Hat Desktop (v. 4)
SRPMS:
star-1.5a25-8.src.rpm     MD5: 2a15a59bd63fc8657c8a5de1097a0e36
 
IA-32:
star-1.5a25-8.i386.rpm     MD5: cec9ee628151fa5e57a8313b8d7e7d81
 
x86_64:
star-1.5a25-8.x86_64.rpm     MD5: 84c057a5e76010e931ede389164aba22
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
star-1.5a75-2.src.rpm
File outdated by:  RHBA-2009:1575		     MD5: 2d83e1f9e3e42cdca6a6db6b4c2f7dd2
 
IA-32:
star-1.5a75-2.i386.rpm
File outdated by:  RHBA-2009:1575		     MD5: b945a3cfb3c7f8239fbc613bfe445254
 
IA-64:
star-1.5a75-2.ia64.rpm
File outdated by:  RHBA-2009:1575		     MD5: b6d506554b5b39ad85bf6e58fd529e4d
 
PPC:
star-1.5a75-2.ppc.rpm
File outdated by:  RHBA-2009:1575		     MD5: 3adb3aabcfb038ede187ca08445ebd72
 
s390x:
star-1.5a75-2.s390x.rpm
File outdated by:  RHBA-2009:1575		     MD5: 1401caceab1df673f08fa150c852ec4c
 
x86_64:
star-1.5a75-2.x86_64.rpm
File outdated by:  RHBA-2009:1575		     MD5: a0c5aedf4e2ddfe326355d9c00548446
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
star-1.5a08-5.src.rpm     MD5: eb60c4d98794cc4331db4853ef4ddffb
 
IA-32:
star-1.5a08-5.i386.rpm     MD5: 8d0acc63d8b6581d31a47898ec0f3408
 
IA-64:
star-1.5a08-5.ia64.rpm     MD5: 0b96bc977983d286b85b09321ce9cfc0
 
PPC:
star-1.5a08-5.ppc.rpm     MD5: 108660e211b16f43661aceb7ba78b498
 
s390:
star-1.5a08-5.s390.rpm     MD5: 9bde61312d7d4965ddf73fb9ac1d6f89
 
s390x:
star-1.5a08-5.s390x.rpm     MD5: a0ee684e324affe6f2f456a00529c2c8
 
x86_64:
star-1.5a08-5.x86_64.rpm     MD5: 602b1f975b422178fa2a15db98c88b01
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
star-1.5a25-8.src.rpm     MD5: 2a15a59bd63fc8657c8a5de1097a0e36
 
IA-32:
star-1.5a25-8.i386.rpm     MD5: cec9ee628151fa5e57a8313b8d7e7d81
 
IA-64:
star-1.5a25-8.ia64.rpm     MD5: a9070af290f4e3aaee258428abbd6928
 
PPC:
star-1.5a25-8.ppc.rpm     MD5: cc849ee1748afe9b30c223f97ac494cd
 
s390:
star-1.5a25-8.s390.rpm     MD5: 7d70e8860e502b9ac0ac349720c7cf96
 
s390x:
star-1.5a25-8.s390x.rpm     MD5: bab6e74335bd2e753f197a2b5ed9e760
 
x86_64:
star-1.5a25-8.x86_64.rpm     MD5: 84c057a5e76010e931ede389164aba22
 
Red Hat Enterprise Linux AS (v. 4.5.z)
SRPMS:
star-1.5a25-8.src.rpm     MD5: 2a15a59bd63fc8657c8a5de1097a0e36
 
IA-32:
star-1.5a25-8.i386.rpm     MD5: cec9ee628151fa5e57a8313b8d7e7d81
 
IA-64:
star-1.5a25-8.ia64.rpm     MD5: a9070af290f4e3aaee258428abbd6928
 
PPC:
star-1.5a25-8.ppc.rpm     MD5: cc849ee1748afe9b30c223f97ac494cd
 
s390:
star-1.5a25-8.s390.rpm     MD5: 7d70e8860e502b9ac0ac349720c7cf96
 
s390x:
star-1.5a25-8.s390x.rpm     MD5: bab6e74335bd2e753f197a2b5ed9e760
 
x86_64:
star-1.5a25-8.x86_64.rpm     MD5: 84c057a5e76010e931ede389164aba22
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
star-1.5a75-2.src.rpm
File outdated by:  RHBA-2009:1575		     MD5: 2d83e1f9e3e42cdca6a6db6b4c2f7dd2
 
IA-32:
star-1.5a75-2.i386.rpm
File outdated by:  RHBA-2009:1575		     MD5: b945a3cfb3c7f8239fbc613bfe445254
 
x86_64:
star-1.5a75-2.x86_64.rpm
File outdated by:  RHBA-2009:1575		     MD5: a0c5aedf4e2ddfe326355d9c00548446
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
star-1.5a08-5.src.rpm     MD5: eb60c4d98794cc4331db4853ef4ddffb
 
IA-32:
star-1.5a08-5.i386.rpm     MD5: 8d0acc63d8b6581d31a47898ec0f3408
 
IA-64:
star-1.5a08-5.ia64.rpm     MD5: 0b96bc977983d286b85b09321ce9cfc0
 
x86_64:
star-1.5a08-5.x86_64.rpm     MD5: 602b1f975b422178fa2a15db98c88b01
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
star-1.5a25-8.src.rpm     MD5: 2a15a59bd63fc8657c8a5de1097a0e36
 
IA-32:
star-1.5a25-8.i386.rpm     MD5: cec9ee628151fa5e57a8313b8d7e7d81
 
IA-64:
star-1.5a25-8.ia64.rpm     MD5: a9070af290f4e3aaee258428abbd6928
 
x86_64:
star-1.5a25-8.x86_64.rpm     MD5: 84c057a5e76010e931ede389164aba22
 
Red Hat Enterprise Linux ES (v. 4.5.z)
SRPMS:
star-1.5a25-8.src.rpm     MD5: 2a15a59bd63fc8657c8a5de1097a0e36
 
IA-32:
star-1.5a25-8.i386.rpm     MD5: cec9ee628151fa5e57a8313b8d7e7d81
 
IA-64:
star-1.5a25-8.ia64.rpm     MD5: a9070af290f4e3aaee258428abbd6928
 
x86_64:
star-1.5a25-8.x86_64.rpm     MD5: 84c057a5e76010e931ede389164aba22
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
star-1.5a08-5.src.rpm     MD5: eb60c4d98794cc4331db4853ef4ddffb
 
IA-32:
star-1.5a08-5.i386.rpm     MD5: 8d0acc63d8b6581d31a47898ec0f3408
 
IA-64:
star-1.5a08-5.ia64.rpm     MD5: 0b96bc977983d286b85b09321ce9cfc0
 
x86_64:
star-1.5a08-5.x86_64.rpm     MD5: 602b1f975b422178fa2a15db98c88b01
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
star-1.5a25-8.src.rpm     MD5: 2a15a59bd63fc8657c8a5de1097a0e36
 
IA-32:
star-1.5a25-8.i386.rpm     MD5: cec9ee628151fa5e57a8313b8d7e7d81
 
IA-64:
star-1.5a25-8.ia64.rpm     MD5: a9070af290f4e3aaee258428abbd6928
 
x86_64:
star-1.5a25-8.x86_64.rpm     MD5: 84c057a5e76010e931ede389164aba22
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

253856 - CVE-2007-4134 star directory traversal vulnerability


References

https://www.redhat.com/security/data/cve/CVE-2007-4134.html
http://www.redhat.com/security/updates/classification/#moderate

Keywords

path, traversal

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/