Bugtraqmailing list archives

By Date

By Thread

[SECURITY] [DSA 652-1] New unarj packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1- --------------------------------------------------------------------------Debian Security Advisory DSA 652-1                     security () debian orghttp://www.debian.org/security/                             Martin SchulzeJanuary 21st, 2005http://www.debian.org/security/faq- --------------------------------------------------------------------------Package        : unarjVulnerability  : severalProblem-Type   : local (remote)Debian-specific: noCVE ID         : CAN-2004-0947 CAN-2004-1027Debian Bug     : 281922Several vulnerabilities have been discovered in unarj, a non-free ARJunarchive utility.  The Common Vulnerabilities and Exposures Projectidentifies the following vulnerabilities:CAN-2004-0947    A buffer overflow has been discovered when handling long file    names contained in an archive.  An attacker could create a    specially crafted archive which could cause unarj to crash or    possibly execute arbitrary code when being extracted by a victim.CAN-2004-1027    A directory traversal vulnerability has been found so that an    attacker could create a specially crafted archive which would    create files in the parent directory when being extracted by a    victim.  When used recursively, this vulnerability could be used    to overwrite critical system files and programs.For the stable distribution (woody) these problems have been fixed inversion 2.43-3woody1.For the unstable distribution (sid) these problems don't apply sinceunstable/non-free does not contain the unarj package.We recommend that you upgrade your unarj package.Upgrade Instructions- --------------------wget url        will fetch the file for youdpkg -i file.deb        will install the referenced file.If you are using the apt-get package manager, use the line forsources.list as given below:apt-get update        will update the internal databaseapt-get upgrade        will install corrected packagesYou may use an automated update by adding the resources from thefooter to the proper configuration.Debian GNU/Linux 3.0 alias woody- --------------------------------  Source archives:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.dsc      Size/MD5 checksum:      528 e1d166f2eaf315641d1269a32ad1dc76http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.diff.gz      Size/MD5 checksum:    12903 4ef4cfad33d05ecc048d63596ab2673chttp://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43.orig.tar.gz      Size/MD5 checksum:    39620 7a481dc017f1fbfa7f937a97e66eb99f  Alpha architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_alpha.deb      Size/MD5 checksum:    29668 08dc91afd3146ccdfaa51d73f8be56e5  ARM architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_arm.deb      Size/MD5 checksum:    22784 ed352d363cbeb34ba2268db63a632824  Intel IA-32 architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_i386.deb      Size/MD5 checksum:    20690 aa9490bd82bc9aef4f6092d19fa83eaa  Intel IA-64 architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_ia64.deb      Size/MD5 checksum:    31072 0b1f0403cfaaf572399fcb60b2549664  HP Precision architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_hppa.deb      Size/MD5 checksum:    23888 15a8d6b0b7b565186398c0b8ebe3eb6a  Motorola 680x0 architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_m68k.deb      Size/MD5 checksum:    20384 644a6dcc9f566bad384c050bc8b8fb14  PowerPC architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_powerpc.deb      Size/MD5 checksum:    23060 5c5a1f0157aa613337f80b439e78456f  IBM S/390 architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_s390.deb      Size/MD5 checksum:    22668 97dc977c8217a10d4915ee32db49edd5  Sun Sparc architecture:http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_sparc.deb      Size/MD5 checksum:    25386 bd2210a978ad30306e3db2ab112c87e8  These files will probably be moved into the stable distribution on  its next update.- ---------------------------------------------------------------------------------For apt-get: debhttp://security.debian.org/ stable/updates mainFor dpkg-ftp:ftp://security.debian.org/debian-security dists/stable/updates/mainMailing list: debian-security-announce () lists debian orgPackage info: `apt-cache show <pkg>' andhttp://packages.debian.org/<pkg>-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.5 (GNU/Linux)iD8DBQFB8L/1W5ql+IAeqTIRAiqfAJ9G2Qz1XaGuTV9D9HsLH77/pOwOswCfWdUasOBvZN8plbTquPjXFFac16Q==I0rL-----END PGP SIGNATURE-----

By Date

By Thread

Current thread:

• [SECURITY] [DSA 652-1] New unarj packages fix several vulnerabilitiesMartin Schulze (Jan 21)