Fedora has issued an advisory on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LSTLNKMVXDRS7L32VJ5TIEL4Q4PVSGNE/ Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA6TOO
CC: (none) => smelrorAssignee: bugsquad => smelror
Advisory ======== It was discovered that unshar from sharutils contained a heap buffer overflow flaw that could result in a Denial of Service attack when processing a shar archive if the archive contains overlong lines. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1548018 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LSTLNKMVXDRS7L32VJ5TIEL4Q4PVSGNE/ Files ===== Uploaded to core/update_testing: sharutils-4.15.2-2.1.mga6 from sharutils-4.15.2-2.1.mga6.src.rpm
Assignee: smelror => qa-bugsWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Testing complete mga6 64 Before ------ $ echo "blah blah blah" >testfile $ shar testfile > testfile.shar shar: Saving testfile (text) $ file testfile.shar testfile.shar: shell archive text $ rm testfile rm: remove regular file 'testfile'? y $ unshar testfile.shar testfile.shar: x - created lock directory _sh24030. x - extracting testfile (text) x - removed lock directory _sh24030. $ cat testfile blah blah blah After ----- $ rm testfile.shar rm: remove regular file 'testfile.shar'? y $ shar testfile > testfile.shar shar: Saving testfile (text) $ file testfile.shar testfile.shar: shell archive text $ rm testfile rm: remove regular file 'testfile'? y $ unshar testfile.shar testfile.shar: x - created lock directory _sh24838. x - extracting testfile (text) x - removed lock directory _sh24838. $ cat testfile blah blah blah
Whiteboard: (none) => mga6-64-okKeywords: (none) => has_procedure
Thanks Claire for the test. Validating it. @David @Stig The advisory has no CVE; it is uploaded as per comment 1. It can be added. Done for Mageia 6 only, but comment 0 > Mageia 5 and Mageia 6 are also affected makes this unsure. Unvalidate it quickly if you really do want both.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
Thanks. Like with most other issues also affecting Mageia 5, I didn't consider the package important enough to push a build for Mageia 5. I'm trying to mark the ones that really should be fixed on mga5 with MGA5TOO. I still report in the Comment 0's that Mageia 5 is affected just to document that fact.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0174.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Ubuntu has issued an advisory for this on March 22: https://usn.ubuntu.com/3605-1/ It has CVE-2018-1000097.
Severity: normal => majorSummary: sharutils new heap buffer overflow security issue => sharutils new heap buffer overflow security issue (CVE-2018-1000097)