Summary: | perl-core/Archive-Tar < 1.40 Directory traversal flaws (CVE-2007-4829) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bsd+disabled, gengor, ismail, perl |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=295021 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-09-18 23:37:22 UTC
Whiteboard. cc'ing maintainers for information. upstream bug is here: http://rt.cpan.org/Public/Bug/Display.html?id=29517 Perl any news on this one? Still waiting for upstream patch/fix. Allegedly be fixed in the not yet mirrored http://search.cpan.org/~kane/Archive-Tar-1.37_01/ Still waiting for the final. 1.38 is out. Please bump. (In reply to comment #7) > 1.38 is out. Please bump. Well, according to http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-385889 , v1.38 is still vulnerable in some other way. Archive-Tar-1.38 is in the tree for some time. Please have a look at the discussion linked in comment #8. dev-perl/Archive-Tar-1.40 is in the tree now. KEYWORDS were dropped because of new dependencies: * perl-core/Package-Constants * dev-perl/IO-Compress-Bzip2 * dev-perl/Compress-Raw-Bzip2 KEYWORDS="alpha amd64 ~arm hppa ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd" Thanks tove. Arches, please test and mark stable / re-keyword =dev-perl/Archive-Tar-1.40 along with its new dependencies: =perl-core/Package-Constants-0.01 =dev-perl/IO-Compress-Bzip2-2.015 =dev-perl/Compress-Raw-Bzip2-2.015 Targets: Stable: alpha amd64 hppa ia64 sparc x86 Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd (In reply to comment #11) > Arches, please test and mark stable / re-keyword > =dev-perl/Archive-Tar-1.40 > > along with its new dependencies: > =perl-core/Package-Constants-0.01 > =dev-perl/IO-Compress-Bzip2-2.015 > =dev-perl/Compress-Raw-Bzip2-2.015 and also (need a matching PV): =dev-perl/IO-Compress-Zlib-2.015 =dev-perl/Compress-Raw-Zlib-2.015 =dev-perl/IO-Compress-Base-2.015 =dev-perl/Compress-Zlib-2.015 > > Targets: > Stable: alpha amd64 hppa ia64 sparc x86 > Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd sparc stable amd64 stable, Archive-Tar and its dependencies all pass their tests. ppc64 stable hppa stable alpha/ia64/x86 stable ppc stable Ready for vote, I vote YES. tar and star got their GLSA as well back then, so YES. GLSA 200812-10 |