Issued:
2010-03-15
Updated:
2010-03-15

RHSA-2010:0141 - Security Advisory

Synopsis

Moderate: tar security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated tar package that fixes two security issues is now available for
Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive.

A heap-based buffer overflow flaw was found in the way tar expanded archive
files. If a user were tricked into expanding a specially-crafted archive,
it could cause the tar executable to crash or execute arbitrary code with
the privileges of the user running tar. (CVE-2010-0624)

Red Hat would like to thank Jakob Lell for responsibly reporting the
CVE-2010-0624 issue.

A denial of service flaw was found in the way tar expanded archive files.
If a user expanded a specially-crafted archive, it could cause the tar
executable to crash. (CVE-2007-4476)

Users of tar are advised to upgrade to this updated package, which contains
backported patches to correct these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 280961 - CVE-2007-4476 tar/cpio stack crashing in safer_name_suffix
  • BZ - 564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive

Red Hat Enterprise Linux Server 5

SRPM
tar-1.15.1-23.0.1.el5_4.2.src.rpm SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
x86_64
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
ia64
tar-1.15.1-23.0.1.el5_4.2.ia64.rpm SHA-256: 2f7e7b4499939efb7eec1f51773331b310505ed76aa9ab2cfef274888e164d64
i386
tar-1.15.1-23.0.1.el5_4.2.i386.rpm SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4

Red Hat Enterprise Linux Server 4

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
x86_64
tar-1.14-13.el4_8.1.x86_64.rpm SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
tar-1.14-13.el4_8.1.x86_64.rpm SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
ia64
tar-1.14-13.el4_8.1.ia64.rpm SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
tar-1.14-13.el4_8.1.ia64.rpm SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
i386
tar-1.14-13.el4_8.1.i386.rpm SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
tar-1.14-13.el4_8.1.i386.rpm SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
x86_64
tar-1.14-13.el4_8.1.x86_64.rpm SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
tar-1.14-13.el4_8.1.x86_64.rpm SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
ia64
tar-1.14-13.el4_8.1.ia64.rpm SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
tar-1.14-13.el4_8.1.ia64.rpm SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
i386
tar-1.14-13.el4_8.1.i386.rpm SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0
tar-1.14-13.el4_8.1.i386.rpm SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0

Red Hat Enterprise Linux Workstation 5

SRPM
tar-1.15.1-23.0.1.el5_4.2.src.rpm SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
x86_64
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
i386
tar-1.15.1-23.0.1.el5_4.2.i386.rpm SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4

Red Hat Enterprise Linux Workstation 4

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
x86_64
tar-1.14-13.el4_8.1.x86_64.rpm SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
ia64
tar-1.14-13.el4_8.1.ia64.rpm SHA-256: 014abb9de9ecc833503470561dc4ace1c2c1cde1497d3e94963e074cbdb34bd3
i386
tar-1.14-13.el4_8.1.i386.rpm SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0

Red Hat Enterprise Linux Desktop 5

SRPM
tar-1.15.1-23.0.1.el5_4.2.src.rpm SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
x86_64
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
i386
tar-1.15.1-23.0.1.el5_4.2.i386.rpm SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4

Red Hat Enterprise Linux Desktop 4

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
x86_64
tar-1.14-13.el4_8.1.x86_64.rpm SHA-256: 8133cee054b85aca00208825238b306f9ba8d441668e49e1b6d85ed2499912de
i386
tar-1.14-13.el4_8.1.i386.rpm SHA-256: 6daf5e5fe824abc9f1f2717b580e7d2f1d1c1415eb2db051d2414cd3f8b61bf0

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
tar-1.15.1-23.0.1.el5_4.2.src.rpm SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
s390x
tar-1.15.1-23.0.1.el5_4.2.s390x.rpm SHA-256: d2377196c7e961c9e8488fda43792664fea0418d5826c9ea9e4f2521e09bc8a7

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
s390x
tar-1.14-13.el4_8.1.s390x.rpm SHA-256: 3c2ab2ef76e2916652e92a1ef349d78f3717d1dc7dd347a6f6c9203184274665
s390
tar-1.14-13.el4_8.1.s390.rpm SHA-256: 3b8aa50024a12e4e3297194d8fdce87753f9e72add1df2087049fb4a4eda2a80

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4

SRPM
s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
s390x
tar-1.14-13.el4_8.1.s390x.rpm SHA-256: 3c2ab2ef76e2916652e92a1ef349d78f3717d1dc7dd347a6f6c9203184274665
s390
tar-1.14-13.el4_8.1.s390.rpm SHA-256: 3b8aa50024a12e4e3297194d8fdce87753f9e72add1df2087049fb4a4eda2a80

Red Hat Enterprise Linux for Power, big endian 5

SRPM
tar-1.15.1-23.0.1.el5_4.2.src.rpm SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
ppc
tar-1.15.1-23.0.1.el5_4.2.ppc.rpm SHA-256: 9da98980dee882c1881d00e65081e4df4c6f6706062fa8e1196a91d95e91d51e

Red Hat Enterprise Linux for Power, big endian 4

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
ppc
tar-1.14-13.el4_8.1.ppc.rpm SHA-256: 5453ae93a787f092517c0a67d7eb8a95c975d7ce019387848eb7ac5ce51ee38d

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8

SRPM
tar-1.14-13.el4_8.1.src.rpm SHA-256: 7a43d423e1554367b596ec64da3bc9f899399fd21fd228674e5a4cb789fb756d
ppc
tar-1.14-13.el4_8.1.ppc.rpm SHA-256: 5453ae93a787f092517c0a67d7eb8a95c975d7ce019387848eb7ac5ce51ee38d

Red Hat Enterprise Linux Server from RHUI 5

SRPM
tar-1.15.1-23.0.1.el5_4.2.src.rpm SHA-256: d42540d8385c869350277e400f9e6639096d37d81f397da7876dcb9a8854b26e
x86_64
tar-1.15.1-23.0.1.el5_4.2.x86_64.rpm SHA-256: 4fd9be6d8fdc68a9d0d2e9ae237fb98a2e98bb591313aabd739c3330551c4af8
i386
tar-1.15.1-23.0.1.el5_4.2.i386.rpm SHA-256: 09b1ec50fbe49d03d03a65c81581eaaa6c5b41368cbbc4ef4c4b15b5e206fdb4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.