According to RedHat:
Directory traversal vulnerability in Archive::Tar perl module allows
user-assisted remote attackers to overwrite arbitrary files writable
by user running application using this module via an absolute path or
a .. (dot dot) sequence in filenames in a TAR archive.
Similar issues were reported and fixed for GNU tar during past several
years, e.g.: CVE-2001-1267, CVE-2002-0399, CVE-2002-1216 and CVE-2007-4131.
This issue is important when this module is used to extract tar archives
from untrusted sources. However, some of such applications either
implement workarounds / own checks (sa-update in spamassassin) or
dropped module support at all (amavisd-new).
cc'ing maintainers for information. upstream bug is here:
Perl any news on this one?
Still waiting for upstream patch/fix.
Allegedly be fixed in the not yet mirrored
Still waiting for the final.
1.38 is out. Please bump.
(In reply to comment #7)
> 1.38 is out. Please bump.
Well, according to http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-385889 , v1.38 is still vulnerable in some other way.
Archive-Tar-1.38 is in the tree for some time.
Please have a look at the discussion linked in comment #8.
dev-perl/Archive-Tar-1.40 is in the tree now.
KEYWORDS were dropped because of new dependencies:
KEYWORDS="alpha amd64 ~arm hppa ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Arches, please test and mark stable / re-keyword
along with its new dependencies:
Stable: alpha amd64 hppa ia64 sparc x86
Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd
(In reply to comment #11)
> Arches, please test and mark stable / re-keyword
> along with its new dependencies:
and also (need a matching PV):
> Stable: alpha amd64 hppa ia64 sparc x86
> Keyword only: ~arm ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc-fbsd ~x86-fbsd
amd64 stable, Archive-Tar and its dependencies all pass their tests.
Ready for vote, I vote YES.
tar and star got their GLSA as well back then, so YES.