User: Password:
Subscribe / Log in / New account

Trustix alert TSLSA-2006-0068 (gnupg, tar)

From:  Trustix Security Advisor <>
Subject:  TSLSA-2006-0068 - multi
Date:  Fri, 1 Dec 2006 13:25:39 +0000

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2006-0068 Package names: gnupg, tar Summary: Multiple vulnerabilities Date: 2006-12-01 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Package description: gnupg GnuPG is a complete and free replacement for PGP. Because it does not use IDEA it can be used without any restrictions. GnuPG is in compliance with the OpenPGP specification (RFC2440). tar The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Tar can also be used to add supplemental files to an archive and to update or list files in the archive. Tar includes multivolume support, automatic archive compression/decompression, the ability to perform remote archives, and the ability to perform incremental and full backups. Problem description: gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - SECURITY Fix: Hugh Warrington has reported a vulnerability in GnuPG, caused due to a boundary error in the "ask_outfile_name()" function in openfile.c, because the "make_printable_string()" function can return a string longer than the expected "NAMELEN". This can be exploited to cause a buffer overflow. The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2006-6169 to this issue. tar < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - New Upstream - Option -l is now an alias of --check-links option. - SECURITY Fix: Teemu Salmela has reported a security issue in GNU tar, caused due to the "extract_archive()" function in extract.c and the "extract_mangle()" function in mangle.c still processing the deprecated "GNUTYPE_NAMES" record type containing symbolic links. This can be exploited to overwrite arbitrary files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-6097 to this issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:> <URI:> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:> The advisory itself is available from the errata pages at <URI:> and <URI:> or directly at <URI:> MD5sums of the packages: - -------------------------------------------------------------------------- 6097b3d84c5edcc4e725b34a3f46e1d3 3.0/rpms/gnupg-1.4.5-2tr.i586.rpm 095c0af2edafddab2cfa7f85dcc182b8 3.0/rpms/gnupg-utils-1.4.5-2tr.i586.rpm 123a1567dbbc45ea1549d6f45fdead39 3.0/rpms/tar-1.16-1tr.i586.rpm efb1b7a73d95299660d3dfe6d109894e 2.2/rpms/dds2tar-2.5.2-1tr.i586.rpm c67559e5928660ef1b2654101e861696 2.2/rpms/gnupg-1.2.6-5tr.i586.rpm def6ddab06d5fadc6044a12f55d4792a 2.2/rpms/gnupg-utils-1.2.6-5tr.i586.rpm ba6a1459702d5f017695efdddd692ee4 2.2/rpms/tar-1.16-1tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFcCsMi8CEzsK9IksRAosWAKCyczj9Keh+Ux5kQaNN3iJLO50WwgCeIUE3 uDFOO463YeHHWPDo3sPpFYg= =c7Ry -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds