According to RedHat: Directory traversal vulnerability in Archive::Tar perl module allows user-assisted remote attackers to overwrite arbitrary files writable by user running application using this module via an absolute path or a .. (dot dot) sequence in filenames in a TAR archive. Similar issues were reported and fixed for GNU tar during past several years, e.g.: CVE-2001-1267, CVE-2002-0399, CVE-2002-1216 and CVE-2007-4131. This issue is important when this module is used to extract tar archives from untrusted sources. However, some of such applications either implement workarounds / own checks (sa-update in spamassassin) or dropped module support at all (amavisd-new).
Whiteboard.
cc'ing maintainers for information. upstream bug is here: http://rt.cpan.org/Public/Bug/Display.html?id=29517
Perl any news on this one?
Still waiting for upstream patch/fix.
Allegedly be fixed in the not yet mirrored http://search.cpan.org/~kane/Archive-Tar-1.37_01/
Still waiting for the final.
1.38 is out. Please bump.
(In reply to comment #7) > 1.38 is out. Please bump. Well, according to http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-385889 , v1.38 is still vulnerable in some other way.
Archive-Tar-1.38 is in the tree for some time. Please have a look at the discussion linked in comment #8.
dev-perl/Archive-Tar-1.40 is in the tree now. KEYWORDS were dropped because of new dependencies: * perl-core/Package-Constants * dev-perl/IO-Compress-Bzip2 * dev-perl/Compress-Raw-Bzip2 KEYWORDS="alpha amd64 ~arm hppa ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Thanks tove. Arches, please test and mark stable / re-keyword =dev-perl/Archive-Tar-1.40 along with its new dependencies: =perl-core/Package-Constants-0.01 =dev-perl/IO-Compress-Bzip2-2.015 =dev-perl/Compress-Raw-Bzip2-2.015 Targets: Stable: alpha amd64 hppa ia64 sparc x86 Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd
(In reply to comment #11) > Arches, please test and mark stable / re-keyword > =dev-perl/Archive-Tar-1.40 > > along with its new dependencies: > =perl-core/Package-Constants-0.01 > =dev-perl/IO-Compress-Bzip2-2.015 > =dev-perl/Compress-Raw-Bzip2-2.015 and also (need a matching PV): =dev-perl/IO-Compress-Zlib-2.015 =dev-perl/Compress-Raw-Zlib-2.015 =dev-perl/IO-Compress-Base-2.015 =dev-perl/Compress-Zlib-2.015 > > Targets: > Stable: alpha amd64 hppa ia64 sparc x86 > Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd
sparc stable
amd64 stable, Archive-Tar and its dependencies all pass their tests.
ppc64 stable
hppa stable
alpha/ia64/x86 stable
ppc stable
Ready for vote, I vote YES.
tar and star got their GLSA as well back then, so YES.
GLSA 200812-10