1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3562-1] tardiff security update

    From Salvatore Bonaccorso@1:229/2 to All on Sun May 1 14:10:01 2016
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3562-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    May 01, 2016 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : tardiff
    CVE ID : CVE-2015-0857 CVE-2015-0858

    Several vulnerabilities were discovered in tardiff, a tarball comparison
    tool. The Common Vulnerabilities and Exposures project identifies the
    following problems:

    CVE-2015-0857

    Rainer Mueller and Florian Weimer discovered that tardiff is prone
    to shell command injections via shell meta-characters in filenames
    in tar files or via shell meta-characters in the tar filename
    itself.

    CVE-2015-0858

    Florian Weimer discovered that tardiff uses predictable temporary
    directories for unpacking tarballs. A malicious user can use this
    flaw to overwrite files with permissions of the user running the
    tardiff command line tool.

    For the stable distribution (jessie), these problems have been fixed in
    version 0.1-2+deb8u2.

    For the unstable distribution (sid), these problems have been fixed in
    version 0.1-5 and partially in earlier versions.

    We recommend that you upgrade your tardiff packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJXJfAgAAoJEAVMuPMTQ89EV+QP/R8LbIJAyYPHzBYA0XOSHb/l JDmX1JCR32xv3ucV0xqoSR3BoU4DA3DpZKgDF4/zMBq88F2vTUXkI1xbk24puwjr l7926AdWSVbhti5FOnh+btuaKVuanpYcGv/Sr0BNt4gbYKYdNSt4NYl0M5XnPYUT MZfpoVbeMm5LILJG1IWdZzJNmeUsTtRotDbadQpkraR7/ahyNTwdae6OQXw4+6wC 4U11PQc7/GleEAziCPK9Pl3WG/jPc1SbhLE8xDCHAPvZZXRMFSUJqk1VuwE5K2Zg sOMt1Y+CeCg8HoELgIh8lKlBQgYe79alNXWl44eRm6w+u7SsPVWhdKuTdXYQT0+N hE5uAxzvo9mAxPwS39lC/yMKrJR73An8XWriioqeiybs/304Cz10m3x/p1wHquPx ED34jK/fTZY3w81tkG6uE0fZkgqgfAY1KsgjylSfgLzXMDl22hO7jPsOkeYObZWC qSKkt6OIUM01FC5M1EIqGZk5+MSizF2JEJ+vLdKsSLKdlT+PewdlhS0pyWogWGfi TAWU6fVyhYuTAhdgxd33Vq842e/Y93nK6WsQXfYMom0F/TKsmx1GXTkEBQ5PRifj b70+PCO0tmiJchB6If5xCobmYqcWrBjaejiZsngf4Ucdj0cj5E0BxxLd4huM31Bu 4nFnFc7wK6iE8uCjUMZW
    =NDef
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)