There is a directory traversal vulnerability in tar that can be exploited by files in an archive that have "foo//.." as a filename.
The attached patch was committed upstream.
Created attachment 128748 [details, diff]
base-system please advise and patch as necessary.
1.17-r1 and 1.18-r1 have been added to the tree with this patch. Older versions have now been punted.
1.17 is stable across all arches and 1.18 is in the process of being stabled on bug #184453.
Arches please test and mark stable. Target keywords are:
"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
sparc stable for 1.18-r2 (which is probably the one you want?)
Stable for HPPA.
Stabling seems done on all arches, time for glsa decision. I tend to vote yes.
I vote YES.
I vote yes, the flaw is (apparently) easy to use, and tar is of course ubiquitous. Submitting request.
This is GLSA 200709-09, done by falco. Thanks to everyone, closing