Issued:
2007-09-04
Updated:
2007-09-04

RHSA-2007:0873 - Security Advisory

Synopsis

Moderate: star security update

Type/Severity

Security Advisory: Moderate

Topic

An updated star package that fixes a path traversal flaw is now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

Star is a tar-like archiver. It saves multiple files into a single tape or
disk archive, and can restore individual files from the archive. Star
includes multi-volume support, automatic archive format detection and ACL
support.

A path traversal flaw was discovered in the way star extracted archives. A
malicious user could create a tar archive that would cause star to write to
arbitrary files to which the user running star had write access.
(CVE-2007-4134)

Red Hat would like to thank Robert Buchholz for reporting this issue.

As well, this update adds the command line argument "-.." to the Red Hat
Enterprise Linux 3 version of star. This allows star to extract files
containing "/../" in their pathname.

Users of star should upgrade to this updated package, which contain
backported patches to correct these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 4.5 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.5 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 253856 - CVE-2007-4134 star directory traversal vulnerability

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
star-1.5a75-2.src.rpm SHA-256: 226455947fe5cff874aca25ef83470391b23d55ba2037ce5a46de5fa62e5fb26
x86_64
star-1.5a75-2.x86_64.rpm SHA-256: 57a7401b84d09e4b8d1b2ac51b952e79afd88287613383920e1761febaceeb3f
ia64
star-1.5a75-2.ia64.rpm SHA-256: 12ffe5719deef8d6c6e6f2c1f3f3cdc9ce02c0cf8f102a014a006617b80bcb2f
i386
star-1.5a75-2.i386.rpm SHA-256: 6121881f6825e878570ec9a3fa999f60fe54179e6a214cf4a9f75e7e40a744e1

Red Hat Enterprise Linux Server 4

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
x86_64
star-1.5a25-8.x86_64.rpm SHA-256: 99fbacaa1bf1ef073f3de409aef446f648b6824bc2b5012d3304946042a68e78
star-1.5a25-8.x86_64.rpm SHA-256: 99fbacaa1bf1ef073f3de409aef446f648b6824bc2b5012d3304946042a68e78
ia64
star-1.5a25-8.ia64.rpm SHA-256: fe8b47bdac282c0b53fd684197c03c91b4ff245648ff734c8b62efa29533b8b1
star-1.5a25-8.ia64.rpm SHA-256: fe8b47bdac282c0b53fd684197c03c91b4ff245648ff734c8b62efa29533b8b1
i386
star-1.5a25-8.i386.rpm SHA-256: 165508286b7d2ee0c4d94c18aff2e5e362eedfd5ce750a37506bd2e81a9ddd76
star-1.5a25-8.i386.rpm SHA-256: 165508286b7d2ee0c4d94c18aff2e5e362eedfd5ce750a37506bd2e81a9ddd76

Red Hat Enterprise Linux Server - Extended Update Support 4.5

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
x86_64
star-1.5a25-8.x86_64.rpm SHA-256: 99fbacaa1bf1ef073f3de409aef446f648b6824bc2b5012d3304946042a68e78
star-1.5a25-8.x86_64.rpm SHA-256: 99fbacaa1bf1ef073f3de409aef446f648b6824bc2b5012d3304946042a68e78
ia64
star-1.5a25-8.ia64.rpm SHA-256: fe8b47bdac282c0b53fd684197c03c91b4ff245648ff734c8b62efa29533b8b1
star-1.5a25-8.ia64.rpm SHA-256: fe8b47bdac282c0b53fd684197c03c91b4ff245648ff734c8b62efa29533b8b1
i386
star-1.5a25-8.i386.rpm SHA-256: 165508286b7d2ee0c4d94c18aff2e5e362eedfd5ce750a37506bd2e81a9ddd76
star-1.5a25-8.i386.rpm SHA-256: 165508286b7d2ee0c4d94c18aff2e5e362eedfd5ce750a37506bd2e81a9ddd76

Red Hat Enterprise Linux Workstation 5

SRPM
star-1.5a75-2.src.rpm SHA-256: 226455947fe5cff874aca25ef83470391b23d55ba2037ce5a46de5fa62e5fb26
x86_64
star-1.5a75-2.x86_64.rpm SHA-256: 57a7401b84d09e4b8d1b2ac51b952e79afd88287613383920e1761febaceeb3f
i386
star-1.5a75-2.i386.rpm SHA-256: 6121881f6825e878570ec9a3fa999f60fe54179e6a214cf4a9f75e7e40a744e1

Red Hat Enterprise Linux Workstation 4

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
x86_64
star-1.5a25-8.x86_64.rpm SHA-256: 99fbacaa1bf1ef073f3de409aef446f648b6824bc2b5012d3304946042a68e78
ia64
star-1.5a25-8.ia64.rpm SHA-256: fe8b47bdac282c0b53fd684197c03c91b4ff245648ff734c8b62efa29533b8b1
i386
star-1.5a25-8.i386.rpm SHA-256: 165508286b7d2ee0c4d94c18aff2e5e362eedfd5ce750a37506bd2e81a9ddd76

Red Hat Enterprise Linux Desktop 5

SRPM
star-1.5a75-2.src.rpm SHA-256: 226455947fe5cff874aca25ef83470391b23d55ba2037ce5a46de5fa62e5fb26
x86_64
star-1.5a75-2.x86_64.rpm SHA-256: 57a7401b84d09e4b8d1b2ac51b952e79afd88287613383920e1761febaceeb3f
i386
star-1.5a75-2.i386.rpm SHA-256: 6121881f6825e878570ec9a3fa999f60fe54179e6a214cf4a9f75e7e40a744e1

Red Hat Enterprise Linux Desktop 4

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
x86_64
star-1.5a25-8.x86_64.rpm SHA-256: 99fbacaa1bf1ef073f3de409aef446f648b6824bc2b5012d3304946042a68e78
i386
star-1.5a25-8.i386.rpm SHA-256: 165508286b7d2ee0c4d94c18aff2e5e362eedfd5ce750a37506bd2e81a9ddd76

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
star-1.5a75-2.src.rpm SHA-256: 226455947fe5cff874aca25ef83470391b23d55ba2037ce5a46de5fa62e5fb26
s390x
star-1.5a75-2.s390x.rpm SHA-256: aabc0c9300ead388d9ca67fc1021b4b49fee014cc9036d58ad475b00eafad117

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
s390x
star-1.5a25-8.s390x.rpm SHA-256: effe5db06de1fb3ae70708209d762d32fa1176663b65eb89cda08dbcfb4d846f
s390
star-1.5a25-8.s390.rpm SHA-256: 6a1cddb54cfb74dc7c6b024a05006f95a50489dc444192e7e2213ea0d765d555

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
s390x
star-1.5a25-8.s390x.rpm SHA-256: effe5db06de1fb3ae70708209d762d32fa1176663b65eb89cda08dbcfb4d846f
s390
star-1.5a25-8.s390.rpm SHA-256: 6a1cddb54cfb74dc7c6b024a05006f95a50489dc444192e7e2213ea0d765d555

Red Hat Enterprise Linux for Power, big endian 5

SRPM
star-1.5a75-2.src.rpm SHA-256: 226455947fe5cff874aca25ef83470391b23d55ba2037ce5a46de5fa62e5fb26
ppc
star-1.5a75-2.ppc.rpm SHA-256: 8886daa7a9bed551ba03e2775a3892bab011627ddb48c31e0f71bacc480f8dcd

Red Hat Enterprise Linux for Power, big endian 4

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
ppc
star-1.5a25-8.ppc.rpm SHA-256: 4cf1a3789b0e1af32dd8f7cd6d862a3a52a6f508d425d14c26bd8aa6b86ab243

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5

SRPM
star-1.5a25-8.src.rpm SHA-256: 2dbd0194ecf8163c245a141a93bf903f37546ee0cfb63328f7965fbd284f1a31
ppc
star-1.5a25-8.ppc.rpm SHA-256: 4cf1a3789b0e1af32dd8f7cd6d862a3a52a6f508d425d14c26bd8aa6b86ab243

Red Hat Enterprise Linux Server from RHUI 5

SRPM
star-1.5a75-2.src.rpm SHA-256: 226455947fe5cff874aca25ef83470391b23d55ba2037ce5a46de5fa62e5fb26
x86_64
star-1.5a75-2.x86_64.rpm SHA-256: 57a7401b84d09e4b8d1b2ac51b952e79afd88287613383920e1761febaceeb3f
i386
star-1.5a75-2.i386.rpm SHA-256: 6121881f6825e878570ec9a3fa999f60fe54179e6a214cf4a9f75e7e40a744e1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.