Gentoo Linux Advisories: tar, fetchmail, unzip, python

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :tar
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 12:30 UTC

- - --------------------------------------------------------------------

OVERVIEW

The tar utility contain vulnerabilities which can allow
arbitrary files to be overwritten during archive extraction.

DETAIL

During testing by Redhat of the fix to GNU tar from the advisory below, 
it was discovered that GNU tar 1.13.25 was still vulnerable to a 
modified version of the same problem.

Read the full original advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/tar-1.13.25-r2 and earlier update their systems
as follows:

emerge rsync
emerge tar
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------


- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :fetchmail
SUMMARY        :remote vulnerabilities
DATE           :2002-10-01 09:30 UTC

- - --------------------------------------------------------------------

OVERVIEW

Stefan Esser from e-matters has discovered several buffer overflows and
a broken boundary check within Fetchmail.

DETAIL

If Fetchmail is running in multidrop mode these flaws can be used by
remote attackers to crash it or to execute arbitrary code with the
permissions of the user running fetchmail. Depending on the configuration
this allows a remote root compromise.

Read the full advisory at
http://security.e-matters.de/advisories/032002.html

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/fetchmai-0.59.14 and earlier update their systems
as follows:

emerge rsync
emerge fetchmail
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------


- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :unzip
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 10:30 UTC

- - --------------------------------------------------------------------

OVERVIEW

Archive  extraction  is  usually treated by users as a safe operation.
There are few problems with files extraction though.

DETAIL

Among  them:  huge  files with high compression ratio are able to fill
memory/disk  (see  "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev),  special device names and special characters in file names,
directory  traversal  (dot-dot  bug). Probably, directory traversal is
most  dangerous  among  this  bugs, because it allows to craft archive
which  will  trojan  system  on  extraction. This problem is known for
software  developers,  and  newer  archivers usually have some kind of
protection.  But  in  some  cases  this  protection is weak and can be
bypassed.  I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.

Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-arch/unzip-5.42-r1 and earlier update their systems
as follows:

emerge rsync
emerge unzip
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------


- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :python
SUMMARY        :os.execvpe() vulnerability
DATE           :2002-10-03 14:45 UTC

- - --------------------------------------------------------------------

OVERVIEW

By exploiting this vulnerability a local attacker can execute
arbitrary code with the privileges of the user running python code
which uses the execvpe() method.

DETAIL

Zack Weinberg found a vulnerability in the way the exevpe() method
from the os.py module uses a temporary file name. A file which
supposedly should not exist is created in a unsafe way and the method
tries to execute it. The objective of such code is to discover what
error the operating system returns in a portable way.

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-lang/python-2.2.1-r4 and earlier update their systems
as follows:

emerge rsync
emerge python
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------