There is a directory traversal vulnerability in star that can be exploited by files in an archive that contain "foo//..//.." as a filename. This is related to the vulnerability described in bug #189682.
Created attachment 128754 [details, diff]
Patch to fixing this.
Created attachment 128756 [details]
tar file to exploit this issue (creates a README file outside of the working dir)
Created attachment 128776 [details, diff]
Contacted upstream, this was the proposed patch.
shell-tools please advise and patch as necessary.
New upstream release AN-1.5a84 fixes this issue.
still 1.5a84 is not in portage...
It crashes here. But I've contacted upstream and Joerg gave sent me some additional fixes. As soon as I test them, I'll bump.
(In reply to comment #7)
> It crashes here. But I've contacted upstream and Joerg gave sent me some
> additional fixes. As soon as I test them, I'll bump.
great, thanks :o)
Proposing B4 based on severity in bug 189682, setting whiteboard to waiting for ebuild
Finally ebuild is in the tree.
Thanks Peter. Arches, please test and mark stable app-arch/star-1.5_alpha84.
Target keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
Stable for HPPA.
The emerge completes here on sparc64 with the following warnings:
RULES/rules1.top:239: incs/Dcc.sparc-linux: No such file or directory
RULES/rules.cnf:56: incs/sparc-linux-cc/Inull: No such file or directory
RULES/rules.cnf:57: incs/sparc-linux-cc/rules.cnf: No such file or directory
../RULES/rules.ins:27: warning: overriding commands for target `/usr/'
../RULES/rules.ins:22: warning: ignoring old commands for target `/usr/'
../RULES/rules.ins:30: warning: overriding commands for target `../bins/sparc-linux-cc'
../RULES/rules.ins:24: warning: ignoring old commands for target `../bins/sparc-linux-cc'
The package doesn't run any tests. I was able to create a simple .tar.bz2 file and to extract it.
Created attachment 130804 [details]
emerge --info for sparc64
Created attachment 130806 [details]
Complete emerge log for star-1.5_alpha84
Jorge, I suppose that similar warnings are on all archs and this is a feature/problem of SSPM ("Slottable Source Plugin Module" system). This should not stop/delay stabilization.
(In reply to comment #19)
> Jorge, I suppose that similar warnings are on all archs and this is a
> feature/problem of SSPM ("Slottable Source Plugin Module" system). This should
> not stop/delay stabilization.
Then all is ready, sparc stable.
Thanks Jorge for the testing and Peter for the note.
All but mips stable, next is glsa decision.
I tend to vote NO.
I vote NO.
we already sent a GLSA for such an issue in the near past (bug #189682 and GLSA 200709-09), and i would send a GLSA here too. I vote yes.
I vote yes, because the reasoning is the same as the previous tar vulnerability.
GLSA request filed.
star is not as widely used as tar that was why I voted NO (rating A4 vs B4).
glsa 200710-08, thanks everybody
(In reply to comment #30)
> glsa 200710-08, thanks everybody
Uhh... I'd call it GLSA 200710-23.