-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0068
Package names: gnupg, tar
Summary: Multiple vulnerabilities
Date: 2006-12-01
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in
compliance with the OpenPGP specification (RFC2440).
tar
The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive. Tar
can also be used to add supplemental files to an archive and to update
or list files in the archive. Tar includes multivolume support,
automatic archive compression/decompression, the ability to perform
remote archives, and the ability to perform incremental and full
backups.
Problem description:
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Hugh Warrington has reported a vulnerability in GnuPG,
caused due to a boundary error in the "ask_outfile_name()" function
in openfile.c, because the "make_printable_string()" function can
return a string longer than the expected "NAMELEN". This can be
exploited to cause a buffer overflow.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-6169 to this issue.
tar < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream
- Option -l is now an alias of --check-links option.
- SECURITY Fix: Teemu Salmela has reported a security issue in GNU tar,
caused due to the "extract_archive()" function in extract.c and the
"extract_mangle()" function in mangle.c still processing the
deprecated "GNUTYPE_NAMES" record type containing symbolic links.
This can be exploited to overwrite arbitrary files.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-6097 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0068/>
MD5sums of the packages:
- --------------------------------------------------------------------------
6097b3d84c5edcc4e725b34a3f46e1d3 3.0/rpms/gnupg-1.4.5-2tr.i586.rpm
095c0af2edafddab2cfa7f85dcc182b8 3.0/rpms/gnupg-utils-1.4.5-2tr.i586.rpm
123a1567dbbc45ea1549d6f45fdead39 3.0/rpms/tar-1.16-1tr.i586.rpm
efb1b7a73d95299660d3dfe6d109894e 2.2/rpms/dds2tar-2.5.2-1tr.i586.rpm
c67559e5928660ef1b2654101e861696 2.2/rpms/gnupg-1.2.6-5tr.i586.rpm
def6ddab06d5fadc6044a12f55d4792a 2.2/rpms/gnupg-utils-1.2.6-5tr.i586.rpm
ba6a1459702d5f017695efdddd692ee4 2.2/rpms/tar-1.16-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFcCsMi8CEzsK9IksRAosWAKCyczj9Keh+Ux5kQaNN3iJLO50WwgCeIUE3
uDFOO463YeHHWPDo3sPpFYg=
=c7Ry
-----END PGP SIGNATURE-----
