Debian Bug report logs -
#441444
CVE-2007-4476 Buffer overflow in the safer_name_suffix function
Reported by: Nico Golde <nion@debian.org>
Date: Sun, 9 Sep 2007 21:00:01 UTC
Severity: normal
Tags: patch
Found in version tar/1.16-2
Fixed in versions tar/1.18-1, tar/1.16-2etch4, tar/1.14-2.4
Done: Florian Weimer <fw@deneb.enyo.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#441444; Package tar.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: tar
Version: 1.16-2
Severity: normal
Hi,
a CVE has been issued against tar:
CVE-2007-4476[0]:
Buffer overflow in the safer_name_suffix function in GNU tar
has unspecified attack vectors and impact, resulting in a
"crashing stack."
The SuSE security announcement is not really helpful for
more information. I extracted the patch from the SuSE source
RPM. For unstable and testing this problem is fixed because the whole
function had been replaced by transform_member_name() which
works totally different.
Etch is affected by this problem
however the code is not in names.c but in lib/libpaxnames.c.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[tar-paxlib-owl-alloca.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 09 Sep 2007 21:06:02 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.18-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 09 Sep 2007 21:12:02 GMT) (full text, mbox, link).
Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #14 received at 441444-close@bugs.debian.org (full text, mbox, reply):
Source: tar
Source-Version: 1.16-2etch4
We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:
tar_1.16-2etch4.diff.gz
to pool/main/t/tar/tar_1.16-2etch4.diff.gz
tar_1.16-2etch4.dsc
to pool/main/t/tar/tar_1.16-2etch4.dsc
tar_1.16-2etch4_amd64.deb
to pool/main/t/tar/tar_1.16-2etch4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Dec 2007 13:30:08 +0100
Source: tar
Binary: tar
Architecture: source amd64
Version: 1.16-2etch4
Distribution: stable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description:
tar - GNU tar
Closes: 439335 441444
Changes:
tar (1.16-2etch4) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Apply patch from Dmitry V. Levin <ldv@owl.openwall.com> to avoid a
stack-based buffer overflow while processing certain file names
(CVE-2007-4476). Closes: #441444.
* Apply patch from Dmitry V. Levin to fix double-dot recognition
in case of duplicate / (CVE-2007-4131). Closes: #439335.
* Update the autoconf scripts to the etch version (no functional
changes, hopefully).
Files:
c7d9d75758a04174348cd65bb7aaab16 871 utils required tar_1.16-2etch4.dsc
d971b9d6114ad0527ef89fab0d3167e0 2199571 utils required tar_1.16.orig.tar.gz
96eb9bcd2d8257893a4f530eb00c9da5 31360 utils required tar_1.16-2etch4.diff.gz
b7287060cfefae808c694a60f9cb421c 714108 utils required tar_1.16-2etch4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR3KRfL97/wQC1SS+AQKnRgf+JPmUC5MqJLya8dlKBP4lJSd6UDivOyJF
3ojUEQ/hJB3+rC32GoaNw84MkOms12Ceoo4fBGVrmlSpsGUeIgjL2qy/c59jKOay
fCcEkqnR2LHmW7DttOT+P1VuUHtwAlOelIs02R58VgwEIFY3EWg4GqaTtYFN+IkV
0BSWyovPlcbTsrtuHUTDn/5MAcJgmi/QjnZTlBWMfwaIdAJNmsLQlqc24/qtTeZ/
FKuk2mPkVtewMJTXUjrFB8BWe/edzn+u/yo11zerAahv+vAhSBOnpH5r/p/RBP9t
aGOi7Ard2y5fh+JjAM+TOud/JbmaGBBLH/lUJnKNpexrDKotW626xw==
=7bmw
-----END PGP SIGNATURE-----
Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 441444-close@bugs.debian.org (full text, mbox, reply):
Source: tar
Source-Version: 1.14-2.4
We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:
tar_1.14-2.4.diff.gz
to pool/main/t/tar/tar_1.14-2.4.diff.gz
tar_1.14-2.4.dsc
to pool/main/t/tar/tar_1.14-2.4.dsc
tar_1.14-2.4_i386.deb
to pool/main/t/tar/tar_1.14-2.4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Dec 2007 12:19:01 +0100
Source: tar
Binary: tar
Architecture: source i386
Version: 1.14-2.4
Distribution: oldstable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description:
tar - GNU tar
Closes: 439335 441444
Changes:
tar (1.14-2.4) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* Apply patch from Dmitry V. Levin <ldv@owl.openwall.com> to avoid a
stack-based buffer overflow while processing certain file names
(CVE-2007-4476). Closes: #441444.
* Apply patch from Dmitry V. Levin to fix double-dot recognition
in case of duplicate / (CVE-2007-4131). Closes: #439335.
Files:
cbcbbd7c638de842f913ac566c3f0b0a 846 base required tar_1.14-2.4.dsc
2675ec9acdf59ba6f0c54e5325675fcf 51869 base required tar_1.14-2.4.diff.gz
3b1099df9c1df15768f8dc568068e02f 500822 base required tar_1.14-2.4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR3JTEL97/wQC1SS+AQIP4gf/SUnWTVcWn8qa8QXhlEfjct3ph4cOQRP7
/G6E9JDL7UaGavsR6O8JsBoSyl6cpwA4YCX54vZ9VA1P1NB2O/nkNFCG+rOX4zxl
WF2xl0Bj8ScPR5aSXC7KXgvhEVmF8NYzqRsfkW0NHGUNVH2BUGb1A/t2TEExPeB+
F9QXr9RoiNxwEEPcb5y46gRWZAgbbQBgdQeLUCQda9N4k1hqS1waEHuDbVA4F0bj
JUOV9rRS2Zm0lAmrUT9BwPYcQ2QjG1jhCunAl3pgERnc4ohDJ2ZrrSqmzLClVT7W
QJLL2YIOpFlIHbhNwX+jDNbQEPKirr3doO8z7im80bBf/z633H2/2A==
=7BMw
-----END PGP SIGNATURE-----
Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 441444-close@bugs.debian.org (full text, mbox, reply):
Source: tar
Source-Version: 1.16-2etch4
We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:
tar_1.16-2etch4.diff.gz
to pool/main/t/tar/tar_1.16-2etch4.diff.gz
tar_1.16-2etch4.dsc
to pool/main/t/tar/tar_1.16-2etch4.dsc
tar_1.16-2etch4_amd64.deb
to pool/main/t/tar/tar_1.16-2etch4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Dec 2007 13:30:08 +0100
Source: tar
Binary: tar
Architecture: source amd64
Version: 1.16-2etch4
Distribution: stable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description:
tar - GNU tar
Closes: 439335 441444
Changes:
tar (1.16-2etch4) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Apply patch from Dmitry V. Levin <ldv@owl.openwall.com> to avoid a
stack-based buffer overflow while processing certain file names
(CVE-2007-4476). Closes: #441444.
* Apply patch from Dmitry V. Levin to fix double-dot recognition
in case of duplicate / (CVE-2007-4131). Closes: #439335.
* Update the autoconf scripts to the etch version (no functional
changes, hopefully).
Files:
c7d9d75758a04174348cd65bb7aaab16 871 utils required tar_1.16-2etch4.dsc
d971b9d6114ad0527ef89fab0d3167e0 2199571 utils required tar_1.16.orig.tar.gz
96eb9bcd2d8257893a4f530eb00c9da5 31360 utils required tar_1.16-2etch4.diff.gz
b7287060cfefae808c694a60f9cb421c 714108 utils required tar_1.16-2etch4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR3KRfL97/wQC1SS+AQKnRgf+JPmUC5MqJLya8dlKBP4lJSd6UDivOyJF
3ojUEQ/hJB3+rC32GoaNw84MkOms12Ceoo4fBGVrmlSpsGUeIgjL2qy/c59jKOay
fCcEkqnR2LHmW7DttOT+P1VuUHtwAlOelIs02R58VgwEIFY3EWg4GqaTtYFN+IkV
0BSWyovPlcbTsrtuHUTDn/5MAcJgmi/QjnZTlBWMfwaIdAJNmsLQlqc24/qtTeZ/
FKuk2mPkVtewMJTXUjrFB8BWe/edzn+u/yo11zerAahv+vAhSBOnpH5r/p/RBP9t
aGOi7Ard2y5fh+JjAM+TOud/JbmaGBBLH/lUJnKNpexrDKotW626xw==
=7bmw
-----END PGP SIGNATURE-----
Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 441444-close@bugs.debian.org (full text, mbox, reply):
Source: tar
Source-Version: 1.14-2.4
We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:
tar_1.14-2.4.diff.gz
to pool/main/t/tar/tar_1.14-2.4.diff.gz
tar_1.14-2.4.dsc
to pool/main/t/tar/tar_1.14-2.4.dsc
tar_1.14-2.4_i386.deb
to pool/main/t/tar/tar_1.14-2.4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Dec 2007 12:19:01 +0100
Source: tar
Binary: tar
Architecture: source i386
Version: 1.14-2.4
Distribution: oldstable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description:
tar - GNU tar
Closes: 439335 441444
Changes:
tar (1.14-2.4) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* Apply patch from Dmitry V. Levin <ldv@owl.openwall.com> to avoid a
stack-based buffer overflow while processing certain file names
(CVE-2007-4476). Closes: #441444.
* Apply patch from Dmitry V. Levin to fix double-dot recognition
in case of duplicate / (CVE-2007-4131). Closes: #439335.
Files:
cbcbbd7c638de842f913ac566c3f0b0a 846 base required tar_1.14-2.4.dsc
2675ec9acdf59ba6f0c54e5325675fcf 51869 base required tar_1.14-2.4.diff.gz
3b1099df9c1df15768f8dc568068e02f 500822 base required tar_1.14-2.4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR3JTEL97/wQC1SS+AQIP4gf/SUnWTVcWn8qa8QXhlEfjct3ph4cOQRP7
/G6E9JDL7UaGavsR6O8JsBoSyl6cpwA4YCX54vZ9VA1P1NB2O/nkNFCG+rOX4zxl
WF2xl0Bj8ScPR5aSXC7KXgvhEVmF8NYzqRsfkW0NHGUNVH2BUGb1A/t2TEExPeB+
F9QXr9RoiNxwEEPcb5y46gRWZAgbbQBgdQeLUCQda9N4k1hqS1waEHuDbVA4F0bj
JUOV9rRS2Zm0lAmrUT9BwPYcQ2QjG1jhCunAl3pgERnc4ohDJ2ZrrSqmzLClVT7W
QJLL2YIOpFlIHbhNwX+jDNbQEPKirr3doO8z7im80bBf/z633H2/2A==
=7BMw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 22 Jul 2008 07:32:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:53:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon