Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

To: Steve Kemp <skx@debian.org>
Cc: Mathieu Roy <yeupou@coleumes.org>, debian-security@lists.debian.org, "Private list for gna.org machine sysadmins." <private@gna.org>
Subject: Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 08 Mar 2006 23:02:28 +0100
Message-id: <[🔎] 87zmk0r3wr.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20060308091742.GA16233@steve.org.uk> (Steve Kemp's message of "Wed, 8 Mar 2006 09:17:42 +0000")
References: <20060307141958.GA6762@informatik.uni-bremen.de> <[🔎] 200603080941.39292@eos.attique.ici> <[🔎] 20060308091742.GA16233@steve.org.uk>

* Steve Kemp:

> On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:
>
>> > Package        : tar
>> > Vulnerability  : buffer overflow
>> > Problem-Type   : local(remote)
>> 
>> What does mean 
>> 	local(remote)
>> 
>> Does it means local... or remote?
>
>   Local.  But remote in the sense that you may receive a .tar file
>  from a remote source.

NVD calls this "user-initiated".  With infrastructure software like
tar, it's hard to tell how it is indirectly exposed to the network, so
the attack range classification does not make much sense (even more
difficult is zlib; tar has got at least a bit of networking support).

Reply to:

References:
- Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
  - From: Mathieu Roy <yeupou@coleumes.org>
- Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: first A record of security.debian.org extremely slow
Next by Date: Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
Previous by thread: Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
Next by thread: Re: tartini (one of the security mirrors) unreliable
Index(es):
- Date
- Thread