LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2010-4306 (tar)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 11 Update: tar-1.22-5.fc11 


Date:
    	      Sat, 27 Mar 2010 01:00:53 +0000


Message-ID:
    	      <20100327010053.E55B910F9CC@bastion02.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-4306
2010-03-12 03:08:20
--------------------------------------------------------------------------------

Name        : tar
Product     : Fedora 11
Version     : 1.22
Release     : 5.fc11
URL         : http://www.gnu.org/software/tar/
Summary     : A GNU file archiving program
Description :
The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive. Tar
can also be used to add supplemental files to an archive and to update
or list files in the archive. Tar includes multivolume support,
automatic archive compression/decompression, the ability to perform
remote archives, and the ability to perform incremental and full
backups.

If you want to use tar for remote backups, you also need to install
the rmt package.

--------------------------------------------------------------------------------
Update Information:

- CVE-2010-0624 tar, cpio: Heap-based buffer overflow    by expanding a
specially-crafted archive (#572149)  - realloc within check_exclusion_tags()
caused invalid write    (#570591)  - not closing file descriptors for excluded
files/dirs with    exlude-tag... options could cause descriptor exhaustion
(#570591)  - do not fail with POSIX 2008 glibc futimens() (#552320)  - fix
segfault with corrupted metadata in code_ns_fraction    (#531441)  - commented
patches and sources  - store xattrs for symlinks (#525992) - by Kamil Dudka  -
update tar(1) manpage (#539787)  - fix memory leak in xheader (#518079)  - store
SELinux context for symlinks (#525992)  - provide symlink manpage for gtar  - do
process install-info only without --excludedocs(#515923)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 10 2010 Ondrej Vasik <ovasik@redhat.com> 2:1.22-5
- CVE-2010-0624 tar, cpio: Heap-based buffer overflow
  by expanding a specially-crafted archive (#572149)
- realloc within check_exclusion_tags() caused invalid write
  (#570591)
- not closing file descriptors for excluded files/dirs with
  exlude-tag... options could cause descriptor exhaustion
  (#570591)
- do not fail with POSIX 2008 glibc futimens() (#552320)
- fix segfault with corrupted metadata in code_ns_fraction
  (#531441)
- commented patches and sources
- store xattrs for symlinks (#525992) - by Kamil Dudka
- update tar(1) manpage (#539787)
- fix memory leak in xheader (#518079)
- store SELinux context for symlinks (#525992)
- provide symlink manpage for gtar
- do process install-info only without --excludedocs(#515923)
* Thu Jul 16 2009 Ondrej Vasik <ovasik@redhat.com> 2:1.22-4
- Fix restoring of directory default acls(#511145)
- Do not patch generated autotools files
- Do not sigabrt with new gcc/glibc because of writing to
  struct members of gnutar header at once via strcpy
* Thu Jul  2 2009 Ondrej Vasik <ovasik@redhat.com> 2:1.22-3
- report record size only if the archive refers to a device
  (#487760)
- ignore errors from setting utime() for source file
  on read-only filesystem (#500742)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a
specially-crafted archive
        https://bugzilla.redhat.com/show_bug.cgi?id=564368
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update tar' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds