Home page logo
/

bugtraq logo Bugtraq mailing list archives

TSLSA-2006-0068 - multi
From: Trustix Security Advisor <tsl () trustix org>
Date: Fri, 1 Dec 2006 13:26:04 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0068

Package names:     gnupg, tar
Summary:           Multiple vulnerabilities
Date:              2006-12-01
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gnupg
  GnuPG is a complete and free replacement for PGP. Because it does not
  use IDEA it can be used without any restrictions. GnuPG is in
  compliance with the OpenPGP specification (RFC2440).

  tar
  The GNU tar program saves many files together in one archive and can
  restore individual files (or all of the files) from that archive. Tar
  can also be used to add supplemental files to an archive and to update
  or list files in the archive. Tar includes multivolume support,
  automatic archive compression/decompression, the ability to perform
  remote archives, and the ability to perform incremental and full
  backups.

Problem description:
  gnupg  < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: Hugh Warrington has reported a vulnerability in GnuPG,
    caused due to a boundary error in the "ask_outfile_name()" function
    in openfile.c, because the "make_printable_string()" function can
    return a string longer than the expected "NAMELEN". This can be
    exploited to cause a buffer overflow.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-6169 to this issue.

  tar < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream
  - Option -l is now an alias of --check-links option.
  - SECURITY Fix: Teemu Salmela has reported a security issue in GNU tar,
    caused due to the "extract_archive()" function in extract.c and the
    "extract_mangle()" function in mangle.c still processing the
    deprecated "GNUTYPE_NAMES" record type containing symbolic links.
    This can be exploited to overwrite arbitrary files.

    The Common Vulnerabilities and Exposures project has assigned the
    name CVE-2006-6097 to this issue. 
 
Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0068/>


MD5sums of the packages:
- --------------------------------------------------------------------------
6097b3d84c5edcc4e725b34a3f46e1d3  3.0/rpms/gnupg-1.4.5-2tr.i586.rpm
095c0af2edafddab2cfa7f85dcc182b8  3.0/rpms/gnupg-utils-1.4.5-2tr.i586.rpm
123a1567dbbc45ea1549d6f45fdead39  3.0/rpms/tar-1.16-1tr.i586.rpm

efb1b7a73d95299660d3dfe6d109894e  2.2/rpms/dds2tar-2.5.2-1tr.i586.rpm
c67559e5928660ef1b2654101e861696  2.2/rpms/gnupg-1.2.6-5tr.i586.rpm
def6ddab06d5fadc6044a12f55d4792a  2.2/rpms/gnupg-utils-1.2.6-5tr.i586.rpm
ba6a1459702d5f017695efdddd692ee4  2.2/rpms/tar-1.16-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFcCsMi8CEzsK9IksRAosWAKCyczj9Keh+Ux5kQaNN3iJLO50WwgCeIUE3
uDFOO463YeHHWPDo3sPpFYg=
=c7Ry
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • TSLSA-2006-0068 - multi Trustix Security Advisor (Dec 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault