Gentoo Logo

sharutils: Buffer overflows in shar.c and unshar.c


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200410-01 / sharutils
Release Date October 01, 2004
Latest Revision May 22, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-arch/sharutils <= 4.2.1-r9 >= 4.2.1-r10 All supported architectures

Related bugreports: #65773


sharutils contains two buffer overflow vulnerabilities that could lead to arbitrary code execution.

2.  Impact Information


sharutils contains utilities to manage shell archives.


sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c.


An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.

3.  Resolution Information


There is no known workaround at this time.


All sharutils users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync

# emerge -pv ">=app-arch/sharutils-4.2.1-r10"
# emerge ">=app-arch/sharutils-4.2.1-r10"

4.  References


Page updated October 01, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.