USN-102-1: shar vulnerabilities

29 March 2005

sharutils vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 4.10

Software Description

Details

Shaun Colley discovered a buffer overflow in “shar” that was triggered by output files (specified with -o) with names longer than 49 characters. This could be exploited to run arbitrary attacker specified code on systems that automatically process uploaded files with shar.

Ulf Harnhammar discovered that shar does not check the data length returned by the ‘wc’ command. However, it is believed that this cannot actually be exploited on real systems.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10
sharutils

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References