---

Gentoo Linux Advisory: sharutils


Gentoo Linux Security Advisory GLSA 200410-01


http://security.gentoo.org/


Severity: Normal
Title: sharutils: Buffer overflows in shar.c and unshar.c
Date: October 01, 2004
Bugs: #65773
ID: 200410-01


Synopsis

sharutils contains two buffer overflow vulnerabilities that
could lead to arbitrary code execution.

Background

sharutils contains utilities to manage shell archives.

Affected packages

Package Vulnerable Unaffected
1 app-arch/sharutils <= 4.2.1-r9 >= 4.2.1-r10

Description

sharutils contains two buffer overflows. Ulf Harnhammar
discovered a buffer overflow in shar.c, where the length of data
returned by the wc command is not checked. Florian Schilhabel
discovered another buffer overflow in unshar.c.

Impact

An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils
programs.

Workaround

There is no known workaround at this time.

Resolution

All sharutils users should upgrade to the latest version:

    # emerge sync
    # emerge -pv ">=app-arch/sharutils-4.2.1-r10"
    # emerge ">=app-arch/sharutils-4.2.1-r10"

References

[ 1 ] Debian Bug #265904

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=265904

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200410-01.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2004 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis