http://packages.qa.debian.org/libt/libtar.html doesn't host 1.2.11-r5 any longer. It's older than their "oldstable" release. Note: it is *older* than *debian's* *old *stable* version. Maybe a version bump is in order...
Turning this into security issue: Two vulnerabilities have been reported in libtar, which can be exploited by malicious people to potentially compromise an application using the library. 1) An integer overflow error within the "th_read()" function (lib/block.c) when processing the long name extension can be exploited to cause a heap-based buffer overflow via a specially crafted archive. 2) An integer overflow error within the "th_read()" function (lib/block.c) when processing the long link extension can be exploited to cause a heap-based buffer overflow via a specially crafted archive. Successful exploitation may allow execution of arbitrary code. The vulnerabilities are reported in versions prior 1.2.20.
+ 11 Oct 2013; Sergey Popov <pinkbyte@gentoo.org> +libtar-1.2.20.ebuild: + Version bump, wrt bug #487420 Raising to B2, cause vulnerabilities are arbitrary code execution Arches, please test and mark stable =dev-libs/libtar-1.2.20 Target keywords: amd64 ppc ppc64 x86
amd64 stable
x86 stable
ppc stable
CVE-2013-4397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4397): Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.
ppc64 stable
Thanks, everyone GLSA request filed
This issue was resolved and addressed in GLSA 201402-19 at http://security.gentoo.org/glsa/glsa-201402-19.xml by GLSA coordinator Sergey Popov (pinkbyte).