From ${URL} : Description Two vulnerabilities have been reported in libtar, which can be exploited by malicious people to manipulate certain data. The vulnerabilities are caused due to insufficient verification of path prefixes in the "tar_extract_glob()" and "tar_extract_all()" functions and can be exploited to overwrite arbitrary files. The vulnerabilities are reported in versions 1.2.20 and prior. Solution: No official solution is currently available. Provided and/or discovered by: Timo Warns Original Advisory: https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-4420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4420): Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
Added to existing glsa draft.
Reverted adding to GLSA request - this issue is NOT fixed in 1.2.20
Created attachment 407310 [details, diff] libtar-CVE-2013-4420.patch Patch is derived form the Debian fix for the same CVE (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860). I tested the patch using the steps documented in the Mageia bug (https://bugs.mageia.org/show_bug.cgi?id=12824) and can confirm the patch fixes the issue.
Package has a new proxy maintainer. *libtar-1.2.20-r3 (21 Jul 2015) 21 Jul 2015; Ian Delaney <idella4@gentoo.org> +files/CVE-2013-4420.patch, +libtar-1.2.20-r3.ebuild: revbump; sec. patch from Bug 487686, sourced, prepared and runtested by proxy maintainer
Arches CC'd. Please proceed with stabilisation given 1.2.20-r2 has been made stable.
Arches, please test and mark stable: =dev-libs/libtar-1.2.20-r3 Target keywords : "amd64 ppc ppc64 x86"
amd64 stable
x86 stable
sparc stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
This is not stable for ppc64 yet: Keywords for dev-libs/libtar: | | u | | a a a n p s | n | | l m r h i m m i p s p | u s | r | p d a m p a 6 i o p c 3 a x | s l | e | h 6 r 6 p 6 8 p s p 6 9 s r 8 | e o | p | a 4 m 4 a 4 k s 2 c 4 0 h c 6 | d t | o ----------+-------------------------------+-----+------- 1.2.20-r2 | o + o o o o o o o + + o o ~ + | o 0 | gentoo 1.2.20-r3 | o + o o o o o o o + ~ o o + + | o | gentoo
Stable for PPC64.
Vote: NO.
GLSA Vote: No
