Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 189682
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
tar-1.15.1-alt-contains_dot_dot.diff tar-1.15.1-alt-contains_dot_dot.diff patch Robert Buchholz 2007-08-21 09:38 0000 531 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 189682 depends on: Show dependency tree
Bug 189682 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-08-21 09:37 0000 
There is a  directory traversal vulnerability in tar that can be exploited by
files in an archive that have "foo//.." as a filename.
The attached patch was committed upstream.

------- Comment #1 From Robert Buchholz 2007-08-21 09:38:06 0000 ------- 
Created an attachment (id=128748) [details]
tar-1.15.1-alt-contains_dot_dot.diff

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-08-21 20:38:02 0000 ------- 
base-system please advise and patch as necessary.

------- Comment #3 From Roy Marples (RETIRED) 2007-08-22 09:18:01 0000 ------- 
1.17-r1 and 1.18-r1 have been added to the tree with this patch. Older versions
have now been punted.

1.17 is stable across all arches and 1.18 is in the process of being stabled on
bug #184453.

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-08-22 16:52:41 0000 ------- 
Arches please test and mark stable. Target keywords are:

"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"

------- Comment #5 From Gustavo Zacarias (RETIRED) 2007-08-22 17:54:53 0000 ------- 
sparc stable for 1.18-r2 (which is probably the one you want?)

------- Comment #6 From Tobias Scherbaum 2007-08-22 18:29:08 0000 ------- 
ppc stable

------- Comment #7 From Andrej Kacian (RETIRED) 2007-08-22 20:34:19 0000 ------- 
x86 done

------- Comment #8 From Christoph Mende 2007-08-22 22:31:47 0000 ------- 
amd64 stable

------- Comment #9 From Jeroen Roovers 2007-08-23 04:55:48 0000 ------- 
Stable for HPPA.

------- Comment #10 From Joshua Kinard 2007-08-23 05:41:28 0000 ------- 
mips stable.

------- Comment #11 From Raúl Porcel 2007-08-24 14:28:31 0000 ------- 
alpha/ia64 stable

------- Comment #12 From Markus Rothe 2007-08-29 10:25:52 0000 ------- 
ppc64 stable

------- Comment #13 From Pierre-Yves Rofes 2007-09-01 22:22:57 0000 ------- 
Stabling seems done on all arches, time for glsa decision. I tend to vote yes.

------- Comment #14 From Sune Kloppenborg Jeppesen 2007-09-08 15:41:31 0000 ------- 
I vote YES.

------- Comment #15 From Matt Drew 2007-09-09 22:32:52 0000 ------- 
I vote yes, the flaw is (apparently) easy to use, and tar is of course
ubiquitous.  Submitting request.

------- Comment #16 From Christian Faulhammer 2007-09-16 10:09:44 0000 ------- 
This is GLSA 200709-09, done by falco.  Thanks to everyone, closing
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug