Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 29 Sep 2002 12:43:05 +0100 (BST)
From: Mark J Cox <>
cc: Paul Eggert <>
Subject: Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

> > We allocated CAN-2002-0399 for this,
> I'm confused.  CAN-2001-1267 or CAN-2002-0399?

Well CAN-2001-1267 is for the original issue " Directory traversal
vulnerability in GNU tar 1.13.19 and earlier allows local users overwrite
arbitrary files during archive extraction via a tar file whose filenames
contain a .. (dot dot).".  The general approach in the past has basically
been "if the vendor didn't fix the issue properly the first time, keep the
same CAN."  But that goes against the more common-sense "rule" that if an
issue appears in version X but not version X-1, it should be separated
from an issue that's in X-1.  

So I discussed it with the CVE team and they said use CAN-2002-0399 for
the vulnerability that "due to a logic error GNU tar up to and including
1.3.25 are vulnerable to a ./.. extraction problem"

> Well, with two Bugtraq announcements, I don't think it makes sense to
> wait any longer.

I noticed that our errata came out of QA this weekend too, so we'll 
probably pop that out tommorrow.

> Do you also have a CVE number for the symlink issue (see the 1998
> Bugtraq posting)?

I couldn't find one for that, we'll need to ask Mitre for one (since it's
an old issue I can't allocate one).  Mail "" with the
URL reference, he's usually pretty quick at allocating unless the issue is
Thanks, Mark
Mark J Cox / Security Response Team / Red Hat
Tel: +44 798 061 3110 // Fax: +44 870 1319174

Powered by blists - more mailing lists

Your e-mail address:

Please check out the xvendor mailing list charter.