Advisories

Mandriva Advisories

Package name	sharutils
Date	April 7th, 2005
Advisory ID	MDKSA-2005:067
Affected versions	10.0, 10.1, CS2.1, CS3.0
Synopsis	Updated sharutils packages fix multiple vulnerabilities

Problem Description

Shaun Colley discovered a buffer overflow in shar that was triggered
by output files (using -o) with names longer than 49 characters which
could be exploited to run arbitrary attacker-specified code.

Ulf Harnhammar discovered that shar does not check the data length
returned by the wc command.

Joey Hess discovered that unshar would create temporary files in an
insecure manner which could allow a symbolic link attack to create or
overwrite arbitrary files with the privileges of the user using unshar.

The updated packages have been patched to correct these issues.

Updated Packages

Mandrakelinux 10.0

 e0c5cfb886f7a0fedfc5bdc1455abccd  10.0/RPMS/sharutils-4.2.1-14.1.100mdk.i586.rpm
21b92cbccfc0d68d6e54d8e5a29cb7a4  10.0/SRPMS/sharutils-4.2.1-14.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64

 3a5e130272c580dea1fa04759ac6bc13  amd64/10.0/RPMS/sharutils-4.2.1-14.1.100mdk.amd64.rpm
21b92cbccfc0d68d6e54d8e5a29cb7a4  amd64/10.0/SRPMS/sharutils-4.2.1-14.1.100mdk.src.rpm

Mandrakelinux 10.1

 6385031df18e26b9cfb90cd3258ef3d0  10.1/RPMS/sharutils-4.2.1-17.1.101mdk.i586.rpm
f2ccbc3b40ce4e78cf38fb04903ff115  10.1/SRPMS/sharutils-4.2.1-17.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 bd19a7967add2833d4307f4bbe4bb846  x86_64/10.1/RPMS/sharutils-4.2.1-17.1.101mdk.x86_64.rpm
f2ccbc3b40ce4e78cf38fb04903ff115  x86_64/10.1/SRPMS/sharutils-4.2.1-17.1.101mdk.src.rpm

Corporate Server 2.1

 5dfef49fe2541b8d59a0bb19ce0e4118  corporate/2.1/RPMS/sharutils-4.2.1-14.1.C21mdk.i586.rpm
85f8159f48a7eaed12a22b72bb0444b3  corporate/2.1/SRPMS/sharutils-4.2.1-14.1.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 9a797c69a9b09049db9a6844e75c8db5  x86_64/corporate/2.1/RPMS/sharutils-4.2.1-14.1.C21mdk.x86_64.rpm
85f8159f48a7eaed12a22b72bb0444b3  x86_64/corporate/2.1/SRPMS/sharutils-4.2.1-14.1.C21mdk.src.rpm

Corporate Server 3.0

 77797b4c5413cc83ce90718238d9ec49  corporate/3.0/RPMS/sharutils-4.2.1-14.1.C30mdk.i586.rpm
cf8342d9bfdbcd90ccd36aec74546589  corporate/3.0/SRPMS/sharutils-4.2.1-14.1.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 b8f7c96b18dc28d5ef919d2841496648  x86_64/corporate/3.0/RPMS/sharutils-4.2.1-14.1.C30mdk.x86_64.rpm
cf8342d9bfdbcd90ccd36aec74546589  x86_64/corporate/3.0/SRPMS/sharutils-4.2.1-14.1.C30mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1773
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302412

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer