There is a directory traversal vulnerability in star that can be exploited by files in an archive that contain "foo//..//.." as a filename. This is related to the vulnerability described in bug #189682.
Created attachment 128754 [details, diff] star-traversal.diff Patch to fixing this.
Created attachment 128756 [details] v.tar tar file to exploit this issue (creates a README file outside of the working dir)
Created attachment 128776 [details, diff] star-1.5_alpha74-multiple-slashes.diff Contacted upstream, this was the proposed patch.
shell-tools please advise and patch as necessary.
New upstream release AN-1.5a84 fixes this issue.
still 1.5a84 is not in portage...
It crashes here. But I've contacted upstream and Joerg gave sent me some additional fixes. As soon as I test them, I'll bump.
(In reply to comment #7) > It crashes here. But I've contacted upstream and Joerg gave sent me some > additional fixes. As soon as I test them, I'll bump. > great, thanks :o)
Proposing B4 based on severity in bug 189682, setting whiteboard to waiting for ebuild
Finally ebuild is in the tree.
Thanks Peter. Arches, please test and mark stable app-arch/star-1.5_alpha84. Target keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
x86 stable
Stable for HPPA.
ppc64 stable
alpha/ia64 stable
The emerge completes here on sparc64 with the following warnings: RULES/rules1.top:239: incs/Dcc.sparc-linux: No such file or directory RULES/rules.cnf:56: incs/sparc-linux-cc/Inull: No such file or directory RULES/rules.cnf:57: incs/sparc-linux-cc/rules.cnf: No such file or directory ../RULES/rules.ins:27: warning: overriding commands for target `/usr/' ../RULES/rules.ins:22: warning: ignoring old commands for target `/usr/' ../RULES/rules.ins:30: warning: overriding commands for target `../bins/sparc-linux-cc' ../RULES/rules.ins:24: warning: ignoring old commands for target `../bins/sparc-linux-cc' The package doesn't run any tests. I was able to create a simple .tar.bz2 file and to extract it.
Created attachment 130804 [details] sparc64-emerge-info emerge --info for sparc64
Created attachment 130806 [details] app-arch:star-1.5_alpha84:20070913-105036.log Complete emerge log for star-1.5_alpha84
Jorge, I suppose that similar warnings are on all archs and this is a feature/problem of SSPM ("Slottable Source Plugin Module" system). This should not stop/delay stabilization.
(In reply to comment #19) > Jorge, I suppose that similar warnings are on all archs and this is a > feature/problem of SSPM ("Slottable Source Plugin Module" system). This should > not stop/delay stabilization. > Then all is ready, sparc stable. Thanks Jorge for the testing and Peter for the note.
ppc stable
amd64 stable
All but mips stable, next is glsa decision.
I tend to vote NO.
I vote NO.
mips stable.
we already sent a GLSA for such an issue in the near past (bug #189682 and GLSA 200709-09), and i would send a GLSA here too. I vote yes.
I vote yes, because the reasoning is the same as the previous tar vulnerability. GLSA request filed.
star is not as widely used as tar that was why I voted NO (rating A4 vs B4).
glsa 200710-08, thanks everybody
(In reply to comment #30) > glsa 200710-08, thanks everybody Uhh... I'd call it GLSA 200710-23.