Fedora Legacy Test Update Notification: sharutils

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Feb 10 02:15:55 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2155
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2155
2005-02-09
---------------------------------------------------------------------

Name        : sharutils
7.3 Version : sharutils-4.2.1-12.7.x.legacy
9 Version   : sharutils-4.2.1-16.9.1.legacy
fc1 Version : sharutils-4.2.1-17.2.legacy
Summary     : The GNU shar utilities for managing shell archives.
Description :
The sharutils package contains the GNU shar utilities, a set of tools
for encoding and decoding packages of files (in binary or text format)
in a special plain text format called shell archives (shar). This
format can be sent through email (which can be problematic for regular
binary files). The shar utility supports a wide range of capabilities
(compressing, uuencoding, splitting long files for multi-part
mailings, providing checksums), which make it very flexible. After the
files have been sent, the unshar tool scans mail messages looking for
shar files. Unshar automatically strips off mail headers and
introductory text and then unpacks the shar files.

---------------------------------------------------------------------
Update Information:

Updated packages for sharutils which fix security vulnerabilities are
now available.

The sharutils package contains a set of tools for encoding and decoding
packages of files in binary or text format.

Ulf Harnhammar discovered a buffer overflow in shar.c, where the length
of data returned by the wc command is not checked. Florian Schilhabel
discovered another buffer overflow in unshar.c. Shaun Colley discovered
a stack-based buffer overflow vulnerability in the -o command-line
option handler. An attacker could exploit these vulnerabilities to
execute arbitrary code as the user running one of the sharutils
programs.

All users of sharutils should upgrade to these packages, which resolve
these issues.

---------------------------------------------------------------------
Changelogs:

rh73:
* Sat Feb 05 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.2.1-12.7.x.legacy
- Added missing gettext and mailx BuildRequires

* Tue Oct 19 2004 Simon Weller <simon at potelweller.com> 4.2.1-11.7.x.legacy
- Added missed patch for Buffer overflow in handling of -o option
- Reference: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230

* Mon Oct 18 2004 Simon Weller <simon at potelweller.com> 4.2.1-10.7.x.legacy
- Added patch for shar.c buffer overflow
- Added patch for unshar.c buffer overflow
- Reference: http://www.securityfocus.com/advisories/7268

rh9:
* Sat Feb 05 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.2.1-16.9.1.legacy
- Added missing gettext and mailx BuildRequires

* Tue Oct 19 2004 Simon Weller <simon at potelweller.com> 4.2.1-16.9.legacy
- Added missed patch for Buffer overflow in handling of -o option
- Reference: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123230

* Mon Oct 18 2004 Simon Weller <simon at potelweller.com> 4.2.1-15.9.legacy
- Added patch for shar.c buffer overflow
- Added patch for unshar.c buffer overflow
- Reference: http://www.securityfocus.com/advisories/7268

fc1:
* Sat Feb 05 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.2.1-17.2.legacy
- Added missing gettext and mailx to BuildRequires

* Thu Oct 21 2004 Rob Myers <rob.myers at gtri.gatech.edu> 4.2.1-17.1.legacy
- add patches for multiple buffer overflows (FL #2155)

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

192306ce2a6cecb89a950040b850f86a28b26998 
redhat/7.3/updates-testing/i386/sharutils-4.2.1-12.7.x.legacy.i386.rpm
25fdf9cb3237bb9a7f9cd5fd211412d74f4f05c6 
redhat/7.3/updates-testing/SRPMS/sharutils-4.2.1-12.7.x.legacy.src.rpm
d6f2e705ae07f48f5dbbc742f44cbc4dea4c446d 
redhat/9/updates-testing/i386/sharutils-4.2.1-16.9.1.legacy.i386.rpm
678acff4ea03db0aa8bc8f8d90630ffe51d27625 
redhat/9/updates-testing/SRPMS/sharutils-4.2.1-16.9.1.legacy.src.rpm
457f8c7a9bc795c5d33bd8bb3e508e2b1e884df0 
fedora/1/updates-testing/i386/sharutils-4.2.1-17.2.legacy.i386.rpm
7fad3189ab60428f22869daf15304aa1c24b3037 
fedora/1/updates-testing/SRPMS/sharutils-4.2.1-17.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050209/dbc3f378/attachment.sig>

More information about the fedora-legacy-list mailing list