Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Oct 2013 10:06:05 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
CC: timo.warns@...il.com, cdfrey@...rsquare.net
Subject: Integer overflow in libtar (<= 1.2.19)

Hi All,

Forwarding information from the linux-distros list to oss-sec, since
the issue is public now

Details:

An integer overflow vulnerability was identified in libtar 1.2.19 (and
olders) that can possibly be exploited for arbitrary code execution when
extracting a specially crafted tar file.

A coordinated release date (CRD) of October 9th has been agreed with
Chris Frey (libtar developer).

This issue is assigned CVE-2013-4397.
This issue is fixed in libtar-1.2.20

Reference:

Upstream patch:
http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04

Announcement: This is an announcement about the release on
libtar list, but strangely i cant access the list archives.
(i am subscribed to the mailing list though)

Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1014492

-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.