Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.LNX.4.44.0209291234580.22355-100000@dell1.moose.awe.com>
Date: Sun, 29 Sep 2002 12:43:05 +0100 (BST)
From: Mark J Cox <mjc@...hat.com>
To: xvendor@...ts.openwall.com
cc: Paul Eggert <eggert@...nsun.com>
Subject: Re: Fwd: GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw)

> > We allocated CAN-2002-0399 for this,
> 
> I'm confused.  CAN-2001-1267 or CAN-2002-0399?

Well CAN-2001-1267 is for the original issue " Directory traversal
vulnerability in GNU tar 1.13.19 and earlier allows local users overwrite
arbitrary files during archive extraction via a tar file whose filenames
contain a .. (dot dot).".  The general approach in the past has basically
been "if the vendor didn't fix the issue properly the first time, keep the
same CAN."  But that goes against the more common-sense "rule" that if an
issue appears in version X but not version X-1, it should be separated
from an issue that's in X-1.  

So I discussed it with the CVE team and they said use CAN-2002-0399 for
the vulnerability that "due to a logic error GNU tar up to and including
1.3.25 are vulnerable to a ./.. extraction problem"

> Well, with two Bugtraq announcements, I don't think it makes sense to
> wait any longer.

I noticed that our errata came out of QA this weekend too, so we'll 
probably pop that out tommorrow.

> Do you also have a CVE number for the symlink issue (see the 1998
> Bugtraq posting)?

I couldn't find one for that, we'll need to ask Mitre for one (since it's
an old issue I can't allocate one).  Mail "coley@...us.mitre.org" with the
URL reference, he's usually pretty quick at allocating unless the issue is
complex.
 
Thanks, Mark
-- 
Mark J Cox / Security Response Team / Red Hat
Tel: +44 798 061 3110 // Fax: +44 870 1319174

Powered by blists - more mailing lists

Please check out the xvendor mailing list charter.