-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1438-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
December 28, 2007                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : tar
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-4131, CVE-2007-4476

Several vulnerabilities have been discovered in GNU Tar. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4131

     A directory traversal vulnerability enables attackers using
     specially crafted archives to extract contents outside the
     directory tree created by tar.

CVE-2007-4476

     A stack-based buffer overflow in the file name checking code may
     lead to arbitrary code execution when processing maliciously
     crafted archives.

For the stable distribution (etch), these problems have been fixed in
version 1.16-2etch1.

For the old stable distribution (sarge), these problems have been
fixed in 1.14-2.4.

For the unstable distribution (sid), these problems have been fixed in
version 1.18-2.

We recommend that you upgrade your tar package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- ----------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz
    Size/MD5 checksum:  1485633 3094544702b1affa32d969f0b6459663
  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4.dsc
    Size/MD5 checksum:      846 cbcbbd7c638de842f913ac566c3f0b0a
  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4.diff.gz
    Size/MD5 checksum:    51869 2675ec9acdf59ba6f0c54e5325675fcf

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_alpha.deb
    Size/MD5 checksum:   533650 c5e87a25f7c6efd0e39647249f889ca3

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_amd64.deb
    Size/MD5 checksum:   504092 64131456790b8bc4b45e341ce0ca6040

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_arm.deb
    Size/MD5 checksum:   502452 1374822a67eafcd4f385b43479225b7b

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_hppa.deb
    Size/MD5 checksum:   517962 f8d1d70a5989d1cab377efdc7c821e24

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_i386.deb
    Size/MD5 checksum:   500822 3b1099df9c1df15768f8dc568068e02f

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_ia64.deb
    Size/MD5 checksum:   543620 3026d8ed3c4e9203b3af8e7813a7858c

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_m68k.deb
    Size/MD5 checksum:   489264 ec8bab9c3860d11e33b4c5ebef3be8e0

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_mips.deb
    Size/MD5 checksum:   520658 9211a627bc4bd7859bf8e3c538abf342

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_mipsel.deb
    Size/MD5 checksum:   520438 a58746324064e51070a558102a134de3

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_powerpc.deb
    Size/MD5 checksum:   507092 bd57425832d21b0a12843d196c2ba4f0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_s390.deb
    Size/MD5 checksum:   512130 cd095e0a66981c279d8d1ede88c67a60

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.4_sparc.deb
    Size/MD5 checksum:   499878 062c6de1a4b1b5a0ea9da2926f5d80ec

Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1.diff.gz
    Size/MD5 checksum:    31360 96eb9bcd2d8257893a4f530eb00c9da5
  http://security.debian.org/pool/updates/main/t/tar/tar_1.16.orig.tar.gz
    Size/MD5 checksum:  2199571 d971b9d6114ad0527ef89fab0d3167e0
  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1.dsc
    Size/MD5 checksum:      871 c7d9d75758a04174348cd65bb7aaab16

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_alpha.deb
    Size/MD5 checksum:   738546 c181b637bb4ed83619c0086bb3d19312

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_amd64.deb
    Size/MD5 checksum:   714108 b7287060cfefae808c694a60f9cb421c

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_arm.deb
    Size/MD5 checksum:   671036 c20ed223967ec38af1ddf88d1b49eff9

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_hppa.deb
    Size/MD5 checksum:   695748 69013bb176a94d2ef6d17342728ed3f8

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_i386.deb
    Size/MD5 checksum:   675590 5630796721944b8f6c261628b0f2b18d

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_ia64.deb
    Size/MD5 checksum:   807488 0e4fd97fd5fef6a0b4fd6edba44ec9ca

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_mips.deb
    Size/MD5 checksum:   701392 c627d531a2d02d652a8fb220f90e51e1

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_mipsel.deb
    Size/MD5 checksum:   701162 979cdb4ee29782a1b9fa1d68c5de05ee

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_powerpc.deb
    Size/MD5 checksum:   683616 73c25ecbdbf6aac0c814b1b16cdf99ab

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_s390.deb
    Size/MD5 checksum:   694000 2364d67dcc6eb6b160590189fa4553ad

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/t/tar/tar_1.16-2etch1_sparc.deb
    Size/MD5 checksum:   668548 ec9e0a954b64ca8cbf8af1412870b8d8


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHdRYaXm3vHE4uyloRAnSyAJ9dEJXC7FpkU3NQtJnCImo0doUnnwCeMZWk
gUArnuL3rSP2xir89rWWpyg=
=y/nl
-----END PGP SIGNATURE-----