|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0068
Package names: gnupg, tar
Summary: Multiple vulnerabilities
Date: 2006-12-01
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in
compliance with the OpenPGP specification (RFC2440).
tar
The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive. Tar
can also be used to add supplemental files to an archive and to update
or list files in the archive. Tar includes multivolume support,
automatic archive compression/decompression, the ability to perform
remote archives, and the ability to perform incremental and full
backups.
Problem description:
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Hugh Warrington has reported a vulnerability in GnuPG,
caused due to a boundary error in the "ask_outfile_name()" function
in openfile.c, because the "make_printable_string()" function can
return a string longer than the expected "NAMELEN". This can be
exploited to cause a buffer overflow.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-6169 to this issue.
tar < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream
- Option -l is now an alias of --check-links option.
- SECURITY Fix: Teemu Salmela has reported a security issue in GNU tar,
caused due to the "extract_archive()" function in extract.c and the
"extract_mangle()" function in mangle.c still processing the
deprecated "GNUTYPE_NAMES" record type containing symbolic links.
This can be exploited to overwrite arbitrary files.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-6097 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from