Skip to navigation

Security Advisory Moderate: tar security update

Advisory: RHSA-2010:0142-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-15
Last updated on: 2010-03-15
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2010-0624

Details

An updated tar package that fixes one security issue is now available for
Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive.

A heap-based buffer overflow flaw was found in the way tar expanded archive
files. If a user were tricked into expanding a specially-crafted archive,
it could cause the tar executable to crash or execute arbitrary code with
the privileges of the user running tar. (CVE-2010-0624)

Red Hat would like to thank Jakob Lell for responsibly reporting this
issue.

Users of tar are advised to upgrade to this updated package, which contains
a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/SRPMS/tar-1.13.25-16.RHEL3.src.rpm
Missing file
    MD5: e3b839b6427d6e865e85546687623c8b
SHA-256: 7992e5f4032f7bf493b1b083045ae3fb0450bc7d6b4ae644885ef13df8f15360
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/i386/tar-1.13.25-16.RHEL3.i386.rpm
Missing file
    MD5: bce2f000467071e44b41148efbe10162
SHA-256: c65132e599722c231d90253906791dc6aeadf3d3a20c652930a19831704f2dc8
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/x86_64/tar-1.13.25-16.RHEL3.x86_64.rpm
Missing file
    MD5: 6462fe971952d9abb497f69f821852d0
SHA-256: b4dbfacdda5e69dcb5f102c5d5e33287235e64e7551ee3b36f530463a5af7a54
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/SRPMS/tar-1.13.25-16.RHEL3.src.rpm
Missing file
    MD5: e3b839b6427d6e865e85546687623c8b
SHA-256: 7992e5f4032f7bf493b1b083045ae3fb0450bc7d6b4ae644885ef13df8f15360
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/i386/tar-1.13.25-16.RHEL3.i386.rpm
Missing file
    MD5: bce2f000467071e44b41148efbe10162
SHA-256: c65132e599722c231d90253906791dc6aeadf3d3a20c652930a19831704f2dc8
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/ia64/tar-1.13.25-16.RHEL3.ia64.rpm
Missing file
    MD5: 49f112bd2fde03b09fd0eab5c98fa1c0
SHA-256: f069a547eb8869ef89f0b2aa0faa78a5100da1818308f3753fb49a5c1507032c
 
PPC:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/ppc/tar-1.13.25-16.RHEL3.ppc.rpm
Missing file
    MD5: 4576356540a5394ddd9525a5d27df6bd
SHA-256: 22078cafa8852ec5738de9e5f7e988d41f1c2d45ed0eaccf643c189a8e14c745
 
s390:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/s390/tar-1.13.25-16.RHEL3.s390.rpm
Missing file
    MD5: cf92d0094dd08de286fa407429ff0565
SHA-256: 9608eaa3c3767ebbe50f133daca63adc4dba42076a007fb4caf5f1afdf919b72
 
s390x:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/s390x/tar-1.13.25-16.RHEL3.s390x.rpm
Missing file
    MD5: 5295ce30b920d54b0001155fd4737460
SHA-256: 0592727e4bf605ca611df52bf554b6d859caa094a21d9a9d717fe1b85b2ed3cd
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/x86_64/tar-1.13.25-16.RHEL3.x86_64.rpm
Missing file
    MD5: 6462fe971952d9abb497f69f821852d0
SHA-256: b4dbfacdda5e69dcb5f102c5d5e33287235e64e7551ee3b36f530463a5af7a54
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/SRPMS/tar-1.13.25-16.RHEL3.src.rpm
Missing file
    MD5: e3b839b6427d6e865e85546687623c8b
SHA-256: 7992e5f4032f7bf493b1b083045ae3fb0450bc7d6b4ae644885ef13df8f15360
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/i386/tar-1.13.25-16.RHEL3.i386.rpm
Missing file
    MD5: bce2f000467071e44b41148efbe10162
SHA-256: c65132e599722c231d90253906791dc6aeadf3d3a20c652930a19831704f2dc8
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/ia64/tar-1.13.25-16.RHEL3.ia64.rpm
Missing file
    MD5: 49f112bd2fde03b09fd0eab5c98fa1c0
SHA-256: f069a547eb8869ef89f0b2aa0faa78a5100da1818308f3753fb49a5c1507032c
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/x86_64/tar-1.13.25-16.RHEL3.x86_64.rpm
Missing file
    MD5: 6462fe971952d9abb497f69f821852d0
SHA-256: b4dbfacdda5e69dcb5f102c5d5e33287235e64e7551ee3b36f530463a5af7a54
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/SRPMS/tar-1.13.25-16.RHEL3.src.rpm
Missing file
    MD5: e3b839b6427d6e865e85546687623c8b
SHA-256: 7992e5f4032f7bf493b1b083045ae3fb0450bc7d6b4ae644885ef13df8f15360
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/i386/tar-1.13.25-16.RHEL3.i386.rpm
Missing file
    MD5: bce2f000467071e44b41148efbe10162
SHA-256: c65132e599722c231d90253906791dc6aeadf3d3a20c652930a19831704f2dc8
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/ia64/tar-1.13.25-16.RHEL3.ia64.rpm
Missing file
    MD5: 49f112bd2fde03b09fd0eab5c98fa1c0
SHA-256: f069a547eb8869ef89f0b2aa0faa78a5100da1818308f3753fb49a5c1507032c
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/tar/1.13.25-16.RHEL3/x86_64/tar-1.13.25-16.RHEL3.x86_64.rpm
Missing file
    MD5: 6462fe971952d9abb497f69f821852d0
SHA-256: b4dbfacdda5e69dcb5f102c5d5e33287235e64e7551ee3b36f530463a5af7a54
 

Bugs fixed (see bugzilla for more information)

564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/