[UCI-Linux] bugzilla@redhat.com: [RHSA-2002:096-24] Updated unzip and tar packages fix vulnerabilities

Mike IGLESIAS IGLESIAS@uci.edu
Mon, 30 Sep 2002 08:18:38 -0700


------- Forwarded Message

Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [205.206.231.26])
	by draco.acs.uci.edu (8.11.6/8.11.6) with ESMTP id g8UFExd12937
	for <iglesias@draco.acs.uci.edu>; Mon, 30 Sep 2002 08:15:00 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 3635A8F299; Mon, 30 Sep 2002 08:10:37 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3927 invoked from network); 29 Sep 2002 08:34:25 -0000
Message-Id: <200209290855.g8T8tXA00789@porkchop.devel.redhat.com>
Mime-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Subject: [RHSA-2002:096-24] Updated unzip and tar packages fix vulnerabilities
From: bugzilla@redhat.com
Date: Sun, 29 Sep 2002 04:55 -0400
To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by draco.acs.uci.edu id g8UFExd12937
X-Spam-Status: No, hits=1.9 required=5.0
	tests=NO_REAL_NAME,DOUBLE_CAPSWORD,WEIRD_PORT
	version=2.31
X-Spam-Level: *

- ---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated unzip and tar packages fix vulnerabilities
Advisory ID:       RHSA-2002:096-24
Issue date:        2002-05-20
Updated on:        2002-09-18
Product:           Red Hat Linux
Keywords:          unzip tar path unpack
Cross references:  
Obsoletes:         
CVE Names:         CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
- ---------------------------------------------------------------------

1. Topic:

The unzip and tar utilities contain vulnerabilities which can allow
arbitrary files to be overwritten during archive extraction.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386, ia64
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386

3. Problem description:

The unzip and tar utilities are used for manipulating archives, which
are multiple files stored inside of a single file.

A directory traversal vulnerability in unzip version 5.42 and earlier,
as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite
arbitrary files during archive extraction via a ".." (dot dot) in an
extracted filename. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2001-1267 and CAN-2001-1268 to
this issue. 

In addition, unzip version 5.42 and earlier also allows attackers to
overwrite arbitrary files during archive extraction via filenames in the
archive that begin with the "/" (slash) character. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2001-1269 to this issue.

During testing of the fix to GNU tar, it was discovered that GNU tar
1.13.25 was still vulnerable to a modified version of the same problem. Red
Hat has provided a patch to tar 1.3.25 to correct this problem. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2002-0399 to this issue.

Users of unzip and tar are advised to upgrade to these errata packages,
containing unzip version 5.50 (for Red Hat Linux 6.2, 7, 7.1, and 7.2) and
a patched version of GNU tar 1.13.25 (for Red Hat Linux 6.2, 7, 7.1, 7.2,
and 7.3), which are not vulnerable to these issues.

Important Note: For users of Red Hat Linux 6.2 and 7 only, these errata
packages change one of the command line options for tar.  Previously the
'-I' option was used to enable bzip2 compression, while in these errata
packages the option has changed to '-j'.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/unzip-5.50-1.62.src.rpm
ftp://updates.redhat.com/6.2/en/os/SRPMS/tar-1.13.25-1.6.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/unzip-5.50-1.62.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/tar-1.13.25-1.6.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/unzip-5.50-1.62.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/tar-1.13.25-1.6.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/unzip-5.50-1.62.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/tar-1.13.25-1.6.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/unzip-5.50-2.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/unzip-5.50-2.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/unzip-5.50-2.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/tar-1.13.25-4.7.1.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/unzip-5.50-2.src.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/unzip-5.50-2.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/unzip-5.50-2.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/tar-1.13.25-4.7.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/unzip-5.50-2.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/unzip-5.50-2.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/unzip-5.50-2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/tar-1.13.25-4.7.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/unzip-5.50-2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/tar-1.13.25-4.7.1.i386.rpm



6. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
bb301fb39190fdfbc17f0c8c172f920a 6.2/en/os/SRPMS/tar-1.13.25-1.6.src.rpm
5dcc6924500aa5f7858ae266a5f8998b 6.2/en/os/SRPMS/unzip-5.50-1.62.src.rpm
fef15632b9bcf32d14356654134c53c5 6.2/en/os/alpha/tar-1.13.25-1.6.alpha.rpm
2b3d7a3a5ec06ced671e8e338f3e6c4e 6.2/en/os/alpha/unzip-5.50-1.62.alpha.rpm
81004b0dd856b5e68847d7b3c98df7fc 6.2/en/os/i386/tar-1.13.25-1.6.i386.rpm
9bae9f9eb1f4465aef6d8e88fc651cbd 6.2/en/os/i386/unzip-5.50-1.62.i386.rpm
ac09b26f328364bcbffef59d92b7544c 6.2/en/os/sparc/tar-1.13.25-1.6.sparc.rpm
a68f875f73dc8551a65018ab46bb28c3 6.2/en/os/sparc/unzip-5.50-1.62.sparc.rpm
0b54c5bd9400cdedd26bdf64d9e69a80 7.0/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm
2c1387cc558515919e2585b5708fd219 7.0/en/os/SRPMS/unzip-5.50-2.src.rpm
c12063f58936ceb68848530b8e69d304 7.0/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm
25e5cb389451c393a58c8e2755180925 7.0/en/os/alpha/unzip-5.50-2.alpha.rpm
fb5f89ea78abb60d50424dda0ac0db79 7.0/en/os/i386/tar-1.13.25-4.7.1.i386.rpm
877f4fda6198e604b539fb85664a3aad 7.0/en/os/i386/unzip-5.50-2.i386.rpm
0b54c5bd9400cdedd26bdf64d9e69a80 7.1/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm
2c1387cc558515919e2585b5708fd219 7.1/en/os/SRPMS/unzip-5.50-2.src.rpm
c12063f58936ceb68848530b8e69d304 7.1/en/os/alpha/tar-1.13.25-4.7.1.alpha.rpm
25e5cb389451c393a58c8e2755180925 7.1/en/os/alpha/unzip-5.50-2.alpha.rpm
fb5f89ea78abb60d50424dda0ac0db79 7.1/en/os/i386/tar-1.13.25-4.7.1.i386.rpm
877f4fda6198e604b539fb85664a3aad 7.1/en/os/i386/unzip-5.50-2.i386.rpm
a8aa3558565507d16f8cb91b6fed5d88 7.1/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm
f233de217386e5913b6460d22022dbb6 7.1/en/os/ia64/unzip-5.50-2.ia64.rpm
0b54c5bd9400cdedd26bdf64d9e69a80 7.2/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm
2c1387cc558515919e2585b5708fd219 7.2/en/os/SRPMS/unzip-5.50-2.src.rpm
fb5f89ea78abb60d50424dda0ac0db79 7.2/en/os/i386/tar-1.13.25-4.7.1.i386.rpm
877f4fda6198e604b539fb85664a3aad 7.2/en/os/i386/unzip-5.50-2.i386.rpm
a8aa3558565507d16f8cb91b6fed5d88 7.2/en/os/ia64/tar-1.13.25-4.7.1.ia64.rpm
f233de217386e5913b6460d22022dbb6 7.2/en/os/ia64/unzip-5.50-2.ia64.rpm
0b54c5bd9400cdedd26bdf64d9e69a80 7.3/en/os/SRPMS/tar-1.13.25-4.7.1.src.rpm
fb5f89ea78abb60d50424dda0ac0db79 7.3/en/os/i386/tar-1.13.25-4.7.1.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>


7. References:

http://online.securityfocus.com/archive/1/196445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0399


Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

------- End of Forwarded Message