Debian Bug report logs - #725938
libtar: CVE-2013-4397: Integer overflow

version graph

Package: libtar; Maintainer for libtar is Magnus Holmgren <holmgren@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 10 Oct 2013 05:54:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Fixed in versions libtar/1.2.20-1, libtar/1.2.16-1+deb7u1, libtar/1.2.11-6+deb6u1

Done: Magnus Holmgren <holmgren@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#725938; Package libtar. (Thu, 10 Oct 2013 05:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Magnus Holmgren <holmgren@debian.org>. (Thu, 10 Oct 2013 05:54:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libtar: CVE-2013-4397: Integer overflow
Date: Thu, 10 Oct 2013 07:50:40 +0200
Package: libtar
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for libtar.

CVE-2013-4397[0]:
Integer overflow

Upstream announcement is at [1] and the commit fixing this issue is at
[2]. 1.2.20 upstream fixes this issues too. But see also [3].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397
    http://security-tracker.debian.org/tracker/CVE-2013-4397
[1] https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html
[2] http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04
[3] http://www.openwall.com/lists/oss-security/2013/10/10/8

Regards,
Salvatore



Reply sent to Magnus Holmgren <holmgren@debian.org>:
You have taken responsibility. (Thu, 10 Oct 2013 17:51:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 10 Oct 2013 17:51:05 GMT) Full text and rfc822 format available.

Message #10 received at 725938-close@bugs.debian.org (full text, mbox):

From: Magnus Holmgren <holmgren@debian.org>
To: 725938-close@bugs.debian.org
Subject: Bug#725938: fixed in libtar 1.2.20-1
Date: Thu, 10 Oct 2013 17:48:34 +0000
Source: libtar
Source-Version: 1.2.20-1

We believe that the bug you reported is fixed in the latest version of
libtar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Magnus Holmgren <holmgren@debian.org> (supplier of updated libtar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 10 Oct 2013 19:20:49 +0200
Source: libtar
Binary: libtar-dev libtar0
Architecture: source amd64
Version: 1.2.20-1
Distribution: unstable
Urgency: high
Maintainer: Magnus Holmgren <holmgren@debian.org>
Changed-By: Magnus Holmgren <holmgren@debian.org>
Description: 
 libtar-dev - C library for manipulating tar archives (development files)
 libtar0    - C library for manipulating tar archives
Closes: 725938
Changes: 
 libtar (1.2.20-1) unstable; urgency=high
 .
   * [SECURITY] New upstream release. Fixes CVE-2013-4397: Integer
     overflow (Closes: #725938).
   * Bump Standards-Version to 3.9.4.
Checksums-Sha1: 
 43dccd1a99eadcef7419656e6468333c4a0177f9 1240 libtar_1.2.20-1.dsc
 8589154a4707033b3f2dd2d201918cd6a7064d5e 63542 libtar_1.2.20.orig.tar.gz
 1bade84273df5236c43b8ed22a9012f4c3dbd212 4615 libtar_1.2.20-1.debian.tar.gz
 346cc4ebd85b843e9122e16d5a5a440da13e8325 40814 libtar-dev_1.2.20-1_amd64.deb
 0b1aea991000d15745270cec9e5bd1ebac28bc17 21468 libtar0_1.2.20-1_amd64.deb
Checksums-Sha256: 
 c73111a5a99645df8a65de49521b0ade6d213414c2983d8c20ee5cc485700fa3 1240 libtar_1.2.20-1.dsc
 50f24c857a7ef1cb092e6508758b86d06f1188508f897f3e6b40c573e8879109 63542 libtar_1.2.20.orig.tar.gz
 8d749cfc6dd8ec012355928b0a446582e6aaf1b57763acb6cec5fb50e6ad2b14 4615 libtar_1.2.20-1.debian.tar.gz
 efbacafc3de331e3add667012e936a767edb0b562f7133b656adf60e7ff46ec3 40814 libtar-dev_1.2.20-1_amd64.deb
 28c396015944b2a1ac92b099d7b75862815909cd49d2e4b70e7557eefe146b23 21468 libtar0_1.2.20-1_amd64.deb
Files: 
 4b36f0b2c7d22ecf8b6ba6c407554186 1240 libs optional libtar_1.2.20-1.dsc
 6ced95ab3a4b33fbfe2dfb231d156cdb 63542 libs optional libtar_1.2.20.orig.tar.gz
 55cedff3d6b0f811ab8fbf767d83a1d9 4615 libs optional libtar_1.2.20-1.debian.tar.gz
 cfa9f4d342ccb15630f8f0806ce5e707 40814 libdevel optional libtar-dev_1.2.20-1_amd64.deb
 d64f8f70a848998fca99fd7040688adf 21468 libs optional libtar0_1.2.20-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEAREIAAYFAlJW5DQACgkQk7mRNn1h4+ZpewCg7kFhXxhSbjTD+wISFiwr54GJ
q/kAn2vgUHaDUC50ZoML5p/fBWs6GAlg
=DXwX
-----END PGP SIGNATURE-----




Reply sent to Magnus Holmgren <holmgren@debian.org>:
You have taken responsibility. (Sat, 14 Dec 2013 16:51:11 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 14 Dec 2013 16:51:11 GMT) Full text and rfc822 format available.

Message #15 received at 725938-close@bugs.debian.org (full text, mbox):

From: Magnus Holmgren <holmgren@debian.org>
To: 725938-close@bugs.debian.org
Subject: Bug#725938: fixed in libtar 1.2.16-1+deb7u1
Date: Sat, 14 Dec 2013 16:47:08 +0000
Source: libtar
Source-Version: 1.2.16-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
libtar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Magnus Holmgren <holmgren@debian.org> (supplier of updated libtar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Oct 2013 20:23:17 +0200
Source: libtar
Binary: libtar-dev libtar0
Architecture: source amd64
Version: 1.2.16-1+deb7u1
Distribution: wheezy-security
Urgency: low
Maintainer: Magnus Holmgren <holmgren@debian.org>
Changed-By: Magnus Holmgren <holmgren@debian.org>
Description: 
 libtar-dev - C library for manipulating tar archives (development files)
 libtar0    - C library for manipulating tar archives
Closes: 725938
Changes: 
 libtar (1.2.16-1+deb7u1) wheezy-security; urgency=low
 .
   * [SECURITY] size_t-overflow_cve-2013-4397.patch: Fix CVE-2013-4397:
     Integer overflow (Closes: #725938).
Checksums-Sha1: 
 f44c24c8d7ce4e746cc5ecc857fa98aa6c6a9324 1266 libtar_1.2.16-1+deb7u1.dsc
 4a0c000592d754b2c9a084861de46b5b9e3d01c5 62041 libtar_1.2.16.orig.tar.gz
 3585a2194d953d6ae3a98a652a4203085941cacd 5592 libtar_1.2.16-1+deb7u1.debian.tar.gz
 e5494415f802e50170b3bfe0a7ec7968aed9dd32 45250 libtar-dev_1.2.16-1+deb7u1_amd64.deb
 6a2a8033f4d9ca2ee0ac69ea656f86245535b2cd 24668 libtar0_1.2.16-1+deb7u1_amd64.deb
Checksums-Sha256: 
 9ed036e4383e154b3a462570f77dc852bde869a0d92a02e3992d1abc413e8fd1 1266 libtar_1.2.16-1+deb7u1.dsc
 e5ae2daa0f984664dcde2229346d252251c873a76abbfedd1ee346354e0ec3f7 62041 libtar_1.2.16.orig.tar.gz
 15d0cdbb28b35c5dae9cbdd2b1a0db527b0931c26c8aac93694a9b336ddbe3fd 5592 libtar_1.2.16-1+deb7u1.debian.tar.gz
 3f3913f57aec457399933ff85bf33cb99c873b0126c380339b2c79694bd350e6 45250 libtar-dev_1.2.16-1+deb7u1_amd64.deb
 44826537d2746557d5f03bb2a38ac9fbf3275147c508f67a69bf259955d47c9e 24668 libtar0_1.2.16-1+deb7u1_amd64.deb
Files: 
 b182ce6127890e99b0a23d8934a781eb 1266 libs optional libtar_1.2.16-1+deb7u1.dsc
 1f32e6e558f391a72730b8c637bd5544 62041 libs optional libtar_1.2.16.orig.tar.gz
 e5af389f642ee95b7d6bb1a20e353f91 5592 libs optional libtar_1.2.16-1+deb7u1.debian.tar.gz
 64692c05ae723df4e6cea06f4a594917 45250 libdevel optional libtar-dev_1.2.16-1+deb7u1_amd64.deb
 e8d7940935b903d576cc5a1b49287924 24668 libs optional libtar0_1.2.16-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlKq4h0ACgkQQWTRs4lLtHnyRgCfaSAyZHL0me1FfgKYIaMcGR2N
dk8AoIVquAzAz/z0RhUG1h5xa1Ev0OVN
=rnPh
-----END PGP SIGNATURE-----




Reply sent to Magnus Holmgren <holmgren@debian.org>:
You have taken responsibility. (Sun, 22 Dec 2013 13:51:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 22 Dec 2013 13:51:05 GMT) Full text and rfc822 format available.

Message #20 received at 725938-close@bugs.debian.org (full text, mbox):

From: Magnus Holmgren <holmgren@debian.org>
To: 725938-close@bugs.debian.org
Subject: Bug#725938: fixed in libtar 1.2.11-6+deb6u1
Date: Sun, 22 Dec 2013 13:48:01 +0000
Source: libtar
Source-Version: 1.2.11-6+deb6u1

We believe that the bug you reported is fixed in the latest version of
libtar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Magnus Holmgren <holmgren@debian.org> (supplier of updated libtar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Oct 2013 20:34:07 +0200
Source: libtar
Binary: libtar-dev libtar
Architecture: source amd64
Version: 1.2.11-6+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Julien Danjou <acid@debian.org>
Changed-By: Magnus Holmgren <holmgren@debian.org>
Description: 
 libtar     - C library for manipulating tar archives
 libtar-dev - C library for manipulating tar archives
Closes: 725938
Changes: 
 libtar (1.2.11-6+deb6u1) squeeze-security; urgency=high
 .
   * [SECURITY] Fix CVE-2013-4397: Integer overflow (Closes: #725938).
     Patch from
     http://repo.or.cz/w/libtar.git/commitdiff/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04
Checksums-Sha1: 
 b31c405579a1df512c69cd79ab332e0444eb539b 1008 libtar_1.2.11-6+deb6u1.dsc
 9611f23024b0e89aad1cfea301122186b3c160f8 145354 libtar_1.2.11.orig.tar.gz
 015d0685e856687ef920b33c6af009086f51402a 254719 libtar_1.2.11-6+deb6u1.diff.gz
 d8b29509924b135a968c779ae4f77268fe76b1e1 42444 libtar-dev_1.2.11-6+deb6u1_amd64.deb
 45f824a041338ed60eac929c34a94d182fa7a1c7 21862 libtar_1.2.11-6+deb6u1_amd64.deb
Checksums-Sha256: 
 8f5a3d0cb3897c433df412a0a134078f8b40cf7219207de8ac8665981724175d 1008 libtar_1.2.11-6+deb6u1.dsc
 4a2eefb6b7088f41de57356e5059cbf1f917509b4a810f7c614625a378e87bb8 145354 libtar_1.2.11.orig.tar.gz
 f04b7a8080f986e9c0c5db340449cd3679bc64d1c83874edd1cb495cb5851c75 254719 libtar_1.2.11-6+deb6u1.diff.gz
 f3d11d07c861a2800a01c851c856b44a3bb0cbe9988aae922d94ae1aa36f8125 42444 libtar-dev_1.2.11-6+deb6u1_amd64.deb
 4637ba2ed95e6e664688f0eb71e28026288e49d5013ad4ccaac20e20c6006057 21862 libtar_1.2.11-6+deb6u1_amd64.deb
Files: 
 e5eccc9018fac1b65b690bc5372a6e23 1008 libs optional libtar_1.2.11-6+deb6u1.dsc
 604238e8734ce6e25347a58c4f1a1d7e 145354 libs optional libtar_1.2.11.orig.tar.gz
 58a814af14a0f4166d9f86fec962af83 254719 libs optional libtar_1.2.11-6+deb6u1.diff.gz
 7a420f60430d397759ad74ffdd4e9ac7 42444 libdevel optional libtar-dev_1.2.11-6+deb6u1_amd64.deb
 8bdd8818de36751b519ff809fa5bc488 21862 libs optional libtar_1.2.11-6+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlKq46IACgkQQWTRs4lLtHlpggCfeeHSC3pxe8Y+amiUW9o1DQK8
MYsAniIBd4tWDMpwoPyWOkvAF/45E2JO
=iHcs
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Feb 2014 07:30:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 09:12:50 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.