Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Oct 2013 07:04:15 +0200
From: Naufragium Est <naufragium.est@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Integer overflow in libtar (<= 1.2.19)

The announcement of version 1.2.20 can be found at
https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html


2013/10/10 Huzaifa Sidhpurwala <huzaifas@...hat.com>

> Hi All,
>
> Forwarding information from the linux-distros list to oss-sec, since
> the issue is public now
>
> Details:
>
> An integer overflow vulnerability was identified in libtar 1.2.19 (and
> olders) that can possibly be exploited for arbitrary code execution when
> extracting a specially crafted tar file.
>
> A coordinated release date (CRD) of October 9th has been agreed with
> Chris Frey (libtar developer).
>
> This issue is assigned CVE-2013-4397.
> This issue is fixed in libtar-1.2.20
>
> Reference:
>
> Upstream patch:
>
> http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04
>
> Announcement: This is an announcement about the release on
> libtar list, but strangely i cant access the list archives.
> (i am subscribed to the mailing list though)
>
> Red Hat bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=1014492
>
> --
> Huzaifa Sidhpurwala / Red Hat Security Response Team
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.