Skip to navigation

Security Advisory Moderate: tar security update

Advisory: RHSA-2010:0141-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-15
Last updated on: 2010-03-15
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2007-4476
CVE-2010-0624

Details

An updated tar package that fixes two security issues is now available for
Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive.

A heap-based buffer overflow flaw was found in the way tar expanded archive
files. If a user were tricked into expanding a specially-crafted archive,
it could cause the tar executable to crash or execute arbitrary code with
the privileges of the user running tar. (CVE-2010-0624)

Red Hat would like to thank Jakob Lell for responsibly reporting the
CVE-2010-0624 issue.

A denial of service flaw was found in the way tar expanded archive files.
If a user expanded a specially-crafted archive, it could cause the tar
executable to crash. (CVE-2007-4476)

Users of tar are advised to upgrade to this updated package, which contains
backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 4)

SRPMS:
tar-1.14-13.el4_8.1.src.rpm     MD5: ee7b747e47c1a1966577181d07da024e
SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
 
IA-32:
tar-1.14-13.el4_8.1.i386.rpm     MD5: 856318956a9165de2911c6e0287b8f02
SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
 
x86_64:
tar-1.14-13.el4_8.1.x86_64.rpm     MD5: 7198a8e37b206686a987b75a174739ec
SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
tar-1.15.1-23.0.1.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0580
    MD5: 62873e99fb34fd394bb039a2ebbabab8
SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
 
IA-32:
tar-1.15.1-23.0.1.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0580
    MD5: 430f850ea2a4a24bd91ffdda025aacdf
SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4
 
IA-64:
tar-1.15.1-23.0.1.el5_4.2.ia64.rpm
File outdated by:  RHBA-2012:0580
    MD5: 4887540e33bc123d2cc3826b4d8971a9
SHA-256: 2f7e7b4499939efb7eec1f51773331b310505ed76aa9ab2cfef274888e164d64
 
PPC:
tar-1.15.1-23.0.1.el5_4.2.ppc.rpm
File outdated by:  RHBA-2012:0580
    MD5: 0cbea28ce167298b6e6c50c27a2a1ea8
SHA-256: 9da98980dee882c1881d00e65081e4df4c6f6706062fa8e1196a91d95e91d51e
 
s390x:
tar-1.15.1-23.0.1.el5_4.2.s390x.rpm
File outdated by:  RHBA-2012:0580
    MD5: 70599507ff788e7a601a7eefda816fb1
SHA-256: d2377196c7e961c9e8488fda43792664fea0418d5826c9ea9e4f2521e09bc8a7
 
x86_64:
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm
File outdated by:  RHBA-2012:0580
    MD5: 67bcf7b0495c9b4ca0ac035ff70017f0
SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
tar-1.14-13.el4_8.1.src.rpm     MD5: ee7b747e47c1a1966577181d07da024e
SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
 
IA-32:
tar-1.14-13.el4_8.1.i386.rpm     MD5: 856318956a9165de2911c6e0287b8f02
SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
 
IA-64:
tar-1.14-13.el4_8.1.ia64.rpm     MD5: 73ecd2a3f6bbfd90b7998a34e7fe87a0
SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
 
PPC:
tar-1.14-13.el4_8.1.ppc.rpm     MD5: 31f2dbf2595ae792eb9b12a64f0e9cde
SHA-256: 5453ae93a787f092517c0a67d7eb8a95c975d7ce019387848eb7ac5ce51ee38d
 
s390:
tar-1.14-13.el4_8.1.s390.rpm     MD5: e0be26dd21ac42dc6e25fc830c4bc1af
SHA-256: 3b8aa50024a12e4e3297194d8fdce87753f9e72add1df2087049fb4a4eda2a80
 
s390x:
tar-1.14-13.el4_8.1.s390x.rpm     MD5: 471bb0beb8bc1d71ed4fade7fcd1c2a2
SHA-256: 3c2ab2ef76e2916652e92a1ef349d78f3717d1dc7dd347a6f6c9203184274665
 
x86_64:
tar-1.14-13.el4_8.1.x86_64.rpm     MD5: 7198a8e37b206686a987b75a174739ec
SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
 
Red Hat Enterprise Linux AS (v. 4.8.z)

SRPMS:
tar-1.14-13.el4_8.1.src.rpm     MD5: ee7b747e47c1a1966577181d07da024e
SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
 
IA-32:
tar-1.14-13.el4_8.1.i386.rpm     MD5: 856318956a9165de2911c6e0287b8f02
SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
 
IA-64:
tar-1.14-13.el4_8.1.ia64.rpm     MD5: 73ecd2a3f6bbfd90b7998a34e7fe87a0
SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
 
PPC:
tar-1.14-13.el4_8.1.ppc.rpm     MD5: 31f2dbf2595ae792eb9b12a64f0e9cde
SHA-256: 5453ae93a787f092517c0a67d7eb8a95c975d7ce019387848eb7ac5ce51ee38d
 
s390:
tar-1.14-13.el4_8.1.s390.rpm     MD5: e0be26dd21ac42dc6e25fc830c4bc1af
SHA-256: 3b8aa50024a12e4e3297194d8fdce87753f9e72add1df2087049fb4a4eda2a80
 
s390x:
tar-1.14-13.el4_8.1.s390x.rpm     MD5: 471bb0beb8bc1d71ed4fade7fcd1c2a2
SHA-256: 3c2ab2ef76e2916652e92a1ef349d78f3717d1dc7dd347a6f6c9203184274665
 
x86_64:
tar-1.14-13.el4_8.1.x86_64.rpm     MD5: 7198a8e37b206686a987b75a174739ec
SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
tar-1.15.1-23.0.1.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0580
    MD5: 62873e99fb34fd394bb039a2ebbabab8
SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
 
IA-32:
tar-1.15.1-23.0.1.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0580
    MD5: 430f850ea2a4a24bd91ffdda025aacdf
SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4
 
x86_64:
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm
File outdated by:  RHBA-2012:0580
    MD5: 67bcf7b0495c9b4ca0ac035ff70017f0
SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
tar-1.14-13.el4_8.1.src.rpm     MD5: ee7b747e47c1a1966577181d07da024e
SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
 
IA-32:
tar-1.14-13.el4_8.1.i386.rpm     MD5: 856318956a9165de2911c6e0287b8f02
SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
 
IA-64:
tar-1.14-13.el4_8.1.ia64.rpm     MD5: 73ecd2a3f6bbfd90b7998a34e7fe87a0
SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
 
x86_64:
tar-1.14-13.el4_8.1.x86_64.rpm     MD5: 7198a8e37b206686a987b75a174739ec
SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
 
Red Hat Enterprise Linux ES (v. 4.8.z)

SRPMS:
tar-1.14-13.el4_8.1.src.rpm     MD5: ee7b747e47c1a1966577181d07da024e
SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
 
IA-32:
tar-1.14-13.el4_8.1.i386.rpm     MD5: 856318956a9165de2911c6e0287b8f02
SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
 
IA-64:
tar-1.14-13.el4_8.1.ia64.rpm     MD5: 73ecd2a3f6bbfd90b7998a34e7fe87a0
SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
 
x86_64:
tar-1.14-13.el4_8.1.x86_64.rpm     MD5: 7198a8e37b206686a987b75a174739ec
SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)

SRPMS:
tar-1.15.1-23.0.1.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0580
    MD5: 62873e99fb34fd394bb039a2ebbabab8
SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
 
IA-32:
tar-1.15.1-23.0.1.el5_4.2.i386.rpm     MD5: 430f850ea2a4a24bd91ffdda025aacdf
SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4
 
IA-64:
tar-1.15.1-23.0.1.el5_4.2.ia64.rpm     MD5: 4887540e33bc123d2cc3826b4d8971a9
SHA-256: 2f7e7b4499939efb7eec1f51773331b310505ed76aa9ab2cfef274888e164d64
 
PPC:
tar-1.15.1-23.0.1.el5_4.2.ppc.rpm     MD5: 0cbea28ce167298b6e6c50c27a2a1ea8
SHA-256: 9da98980dee882c1881d00e65081e4df4c6f6706062fa8e1196a91d95e91d51e
 
s390x:
tar-1.15.1-23.0.1.el5_4.2.s390x.rpm     MD5: 70599507ff788e7a601a7eefda816fb1
SHA-256: d2377196c7e961c9e8488fda43792664fea0418d5826c9ea9e4f2521e09bc8a7
 
x86_64:
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm     MD5: 67bcf7b0495c9b4ca0ac035ff70017f0
SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
tar-1.14-13.el4_8.1.src.rpm     MD5: ee7b747e47c1a1966577181d07da024e
SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
 
IA-32:
tar-1.14-13.el4_8.1.i386.rpm     MD5: 856318956a9165de2911c6e0287b8f02
SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
 
IA-64:
tar-1.14-13.el4_8.1.ia64.rpm     MD5: 73ecd2a3f6bbfd90b7998a34e7fe87a0
SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
 
x86_64:
tar-1.14-13.el4_8.1.x86_64.rpm     MD5: 7198a8e37b206686a987b75a174739ec
SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

280961 - CVE-2007-4476 tar/cpio stack crashing in safer_name_suffix
564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/