Bug 130602 - vuxml submission for archivers/gtar
Summary: vuxml submission for archivers/gtar
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Christian Weisgerber
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-16 05:40 UTC by mark
Modified: 2009-01-16 16:20 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description mark 2009-01-16 05:40:01 UTC 
Fix: 

<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="0809ce7d-f672-4924-9b3b-7c74bc279b83">
    <topic>gtar -- GNU TAR and CPIO safer_name_suffix Remote Denial of Service Vulnerability</topic>
    <affects>
      <package>
        <name>gtar</name>
        <range><lt>1.16</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>SecurityFocus reports:</p>
        <blockquote cite="http://www.securityfocus.com/bid/26445/">
          <p>GNUs tar and cpio utilities are prone to a denial-of-service vulnerability because of insecure use of the alloca function.

Successfully exploiting this issue allows attackers to crash the affected utilities and possibly to execute code but this has not been confirmed.

GNU tar and cpio utilities share the same vulnerable code and are both affected. Other utilities sharing this code may also be affected. </p>
        </blockquote>
      </body>
    </description>
    <references>
     <url>http://www.securityfocus.com/bid/26445/</url>
     <cvename>CVE-2007-4476</cvename>
     <bid>26445</bid>
    </references>
    <dates>
      <discovery>2007-11-14</discovery>
      <entry>2009-01-15</entry>
    </dates>
  </vuln>
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-01-16 05:40:12 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->naddy

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2009-01-16 16:11:15 UTC 
naddy       2009-01-16 16:11:04 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Document vulnerability in older versions of GNU tar.
  
  PR:             130602
  Submitted by:   Mark Foster <mark@foster.cc>
  
  Revision  Changes    Path
  1.1825    +33 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Christian Weisgerber freebsd_committer freebsd_triage 2009-01-16 16:14:28 UTC 
State Changed
From-To: open->closed

Committed with some modifications, thank you. 
As far as I can tell, all gtar versions prior to 1.19 are affected.