On Tue, 29 Mar 2005, Joey Hess wrote: > Package: sharutils > Version: 1:4.2.1-11 > Severity: normal > Tags: security > > [EMAIL PROTECTED]:/tmp>unshar `perl -e 'print "A"x1500'`/tmp/testing > [...] > > This buffer overflow was apparently discovered by gentoo developers, see > http://bugs.gentoo.org/show_bug.cgi?id=65773 > > Exploitation of this problem would seem to be limited to systems that > take arbitrary files, perhaps uploaded via ftp, and run unshar on them. > > Anyway, there's a patch for it, see the second hunk of > http://bugs.gentoo.org/attachment.cgi?id=40702 > (first hunk fixes #265904) > > Just to confuse things, CVE id CAN-2004-1773 describes both this problem > and the one in bug #265904.
Thanks a lot for the report. I'll apply the patch from Gentoo. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
