lp:ubuntu/edgy-updates/tar

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

11. By Kees Cook on 2007-08-28

* SECURITY UPDATE: directory traversal with malicious tar files.
* src/names.c: adjust dot dot checking, patched inline.
* References
  CVE-2007-4131

10. By Kees Cook on 2006-11-24

* SECURITY UPDATE: files can be overwritten/renamed in any writable location
  in the filesystem via GNUTYPE_NAMES type.
* src/extract.c: disable GNUTYPE_NAMES type processing by default since it
  allows for immediate symlink creation and renames.
* src/common.h, src/tar.c: add --allow-name-mangling option to restore
  default behavior.
* debian/rules: lowered optimization level on i386 for testcase #29.
* References
  http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html
  CVE-2006-6097

9. By Bdale Garbee on 2006-07-06

* add a NEWS.Debian file that communicates the change in wildcard processing
* re-institute the patch for filenames that are exactly 100 characters in
  length originally reported in #230910, closes: #376909

8. By Bdale Garbee on 2006-06-22

* new upstream version, retrieved from alpha.gnu.org
* update date in tar.1, closes: #367290
* support rollbacks in maintainer scripts, drop removal of info since this
  package no longer delivers an info doc, closes: #374461

7. By Ian Jackson on 2006-04-05

Do not mess with directory permissions when extracting
without -p. Malone 19540.

6. By Martin Pitt on 2006-02-23

* SECURITY UPDATE: Arbitrary code execution with crafted tar files.
* src/xheader.c:
  - Add a new function decode_num() which wraps xstrtoumax() and adds
    boundary and sanity checking.
  - Use decode_num() instead of xstrtoumax() in the code to avoid buffer
    overflows on excessively large field values like GNU.sparse.numblocks.
  - Patch taken from upstream CVS.
* CVE-2006-0300

5. By Bdale Garbee on 2005-06-14

* patch from LaMont to fix gcc-4.0 error in the test suite,
  closes: #308815, #310830
* patch for de.po from Jens Seidel, closes: #313900
* fix amanda upstream URL in the info pages, closes: #310158
* patch from NIIBE Yutaka to support cross builds, closes: #283723

4. By Bdale Garbee on 2004-08-03

* patch from Paul Eggert that does a better job of eliminating the
  dependency on (buggy) valloc, closes: #234422, #248897
* patch for typo in upstream po/de.po, closes: #154511
* switch from dh_installmanpages to dh_installman

3. By Bdale Garbee on 2004-04-24

* patch to stop issuing lone zero block warnings, closes: #235820
* patch to clean up hyphenation in man page, closes: #185670
* clean up manpage discussion of exclude and exclude-from, closes: #146196
* turn on regression tests in the build process

2. By Bdale Garbee on 2002-02-01

* add a README.Debian that clarifies the situation with respect to 'compress'
  in Debian and the impact on the -Z and related options, closes: #122336
* patch from Mark Eichin to fix archive corruption in special cases, which
  has been accepted upstream for next release. closes: #126274