Gentoo Logo

sharutils: Buffer overflows in shar.c and unshar.c

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200410-01 / sharutils
Release Date October 01, 2004
Latest Revision May 22, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-arch/sharutils <= 4.2.1-r9 >= 4.2.1-r10 All supported architectures

Related bugreports: #65773

Synopsis

sharutils contains two buffer overflow vulnerabilities that could lead to arbitrary code execution.

2.  Impact Information

Background

sharutils contains utilities to manage shell archives.

Description

sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c.

Impact

An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All sharutils users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync

# emerge -pv ">=app-arch/sharutils-4.2.1-r10"
# emerge ">=app-arch/sharutils-4.2.1-r10"

4.  References

Print

Page updated October 01, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.