Date: Sun, 29 Sep 2002 12:43:05 +0100 (BST) From: Mark J Cox <mjc@...hat.com> To: xvendor@...ts.openwall.com cc: Paul Eggert <eggert@...nsun.com> Subject: Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw) > > We allocated CAN-2002-0399 for this, > > I'm confused. CAN-2001-1267 or CAN-2002-0399? Well CAN-2001-1267 is for the original issue " Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot).". The general approach in the past has basically been "if the vendor didn't fix the issue properly the first time, keep the same CAN." But that goes against the more common-sense "rule" that if an issue appears in version X but not version X-1, it should be separated from an issue that's in X-1. So I discussed it with the CVE team and they said use CAN-2002-0399 for the vulnerability that "due to a logic error GNU tar up to and including 1.3.25 are vulnerable to a ./.. extraction problem" > Well, with two Bugtraq announcements, I don't think it makes sense to > wait any longer. I noticed that our errata came out of QA this weekend too, so we'll probably pop that out tommorrow. > Do you also have a CVE number for the symlink issue (see the 1998 > Bugtraq posting)? I couldn't find one for that, we'll need to ask Mitre for one (since it's an old issue I can't allocate one). Mail "coley@...us.mitre.org" with the URL reference, he's usually pretty quick at allocating unless the issue is complex. Thanks, Mark -- Mark J Cox / Security Response Team / Red Hat Tel: +44 798 061 3110 // Fax: +44 870 1319174
Powered by blists - more mailing lists
Please check out the xvendor mailing list charter.