Date: Thu, 10 Oct 2013 10:06:05 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com CC: timo.warns@...il.com, cdfrey@...rsquare.net Subject: Integer overflow in libtar (<= 1.2.19) Hi All, Forwarding information from the linux-distros list to oss-sec, since the issue is public now Details: An integer overflow vulnerability was identified in libtar 1.2.19 (and olders) that can possibly be exploited for arbitrary code execution when extracting a specially crafted tar file. A coordinated release date (CRD) of October 9th has been agreed with Chris Frey (libtar developer). This issue is assigned CVE-2013-4397. This issue is fixed in libtar-1.2.20 Reference: Upstream patch: http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04 Announcement: This is an announcement about the release on libtar list, but strangely i cant access the list archives. (i am subscribed to the mailing list though) Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1014492 -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.