SUSE-SU-2019:14215-1

Опубликовано: 11 нояб. 2019

Источник: suse-cvrf

Описание

Security update for tar

This update for tar to version 1.27.1 fixes the following issues:

tar 1.27.1 brings following changes (jsc#ECO-339)

Sparse files with large data
No backticks in quoting
--owner and --group names and numbers
Support for POSIX ACLs, extended attributes and SELinux context.
Passing command line arguments to external commands.
New configure option --enable-gcc-warnings, intended for debugging.
New warning control option --warning=[no-]record-size
New command line option --keep-directory-symlink
Fix unquoting of file names obtained via the -T option.
Fix GNU long link header timestamp (backward compatibility).

Security issues fixed:

CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

Список пакетов

SUSE Linux Enterprise Point of Sale 11 SP3

tar-1.27.1-14.8.1

SUSE Linux Enterprise Server 11 SP4-LTSS

tar-1.27.1-14.8.1

Ссылки

https://www.suse.com/support/update/announcement/2019/suse-su-201914215-1/
Link for SUSE-SU-2019:14215-1
https://lists.suse.com/pipermail/sle-security-updates/2019-November/006107.html
E-Mail link for SUSE-SU-2019:14215-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1120610
SUSE Bug 1120610
https://bugzilla.suse.com/1130496
SUSE Bug 1130496
https://bugzilla.suse.com/1152736
SUSE Bug 1152736
https://www.suse.com/security/cve/CVE-2018-20482/
SUSE CVE CVE-2018-20482 page
https://www.suse.com/security/cve/CVE-2019-9923/
SUSE CVE CVE-2019-9923 page
https://bugzilla.suse.com/ECO-339
SUSE Bug ECO-339

Описание

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

Затронутые продукты

SUSE Linux Enterprise Point of Sale 11 SP3:tar-1.27.1-14.8.1

SUSE Linux Enterprise Server 11 SP4-LTSS:tar-1.27.1-14.8.1

Ссылки

https://www.suse.com/security/cve/CVE-2018-20482.html
CVE-2018-20482
https://bugzilla.suse.com/1120610
SUSE Bug 1120610

Описание

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

Затронутые продукты

SUSE Linux Enterprise Point of Sale 11 SP3:tar-1.27.1-14.8.1

SUSE Linux Enterprise Server 11 SP4-LTSS:tar-1.27.1-14.8.1

Ссылки

https://www.suse.com/security/cve/CVE-2019-9923.html
CVE-2019-9923
https://bugzilla.suse.com/1130496
SUSE Bug 1130496

SUSE-SU-2019:14215-1

Описание

Список пакетов

SUSE Linux Enterprise Point of Sale 11 SP3

SUSE Linux Enterprise Server 11 SP4-LTSS

Ссылки

Уязвимость: CVE-2018-20482

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2019-9923

Описание

Затронутые продукты

Ссылки