| Revision Date: | 2005-04-26 | Version: | 502 |
| Title: | RHSA-2005:377: sharutils security update (Low) |
| Description: | The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format.
A stack based overflow bug was found in the way shar handles the -o option. If a user can be tricked into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1772 to this issue. Please note that this issue does not affect Red Hat Enterprise Linux 4.
Two buffer overflow bugs were found in sharutils. If an attacker can place a malicious 'wc' command on a victim's machine, or trick a victim into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1773 to this issue.
A bug was found in the way unshar creates temporary files. A local user could use symlinks to overwrite arbitrary files the victim running unshar has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0990 to this issue.
All users of sharutils should upgrade to this updated package, which includes backported fixes to correct these issues.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | CVE-2004-1772
CVE-2004-1773
CVE-2005-0990
RHSA-2005:377-01
|
| Platform(s): | Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
| Product(s): | |
| Definition Synopsis |
| Release Information Red Hat Enterprise Linux 3 is installed
AND sharutils is earlier than 0:4.2.1-16.2
AND sharutils is signed with Red Hat master key
OR Package Information
Red Hat Enterprise Linux 4 is installed
AND sharutils is earlier than 0:4.2.1-22.2
AND sharutils is signed with Red Hat master key
|