lp:ubuntu/feisty-security/tar
- Get this branch:
- bzr branch lp:ubuntu/feisty-security/tar
Branch merges
Branch information
Recent revisions
- 13. By Kees Cook
-
* SECURITY UPDATE: directory traversal with malicious tar files.
* src/names.c: adjust dot dot checking, patched inline.
* References
CVE-2007-4131 - 12. By Bdale Garbee
-
patch from Kees Cook via upstream to disable handling of GNUTYPE_NAMES
by default and add a new command-line switch --allow-name-mangling to
re-enable it, as a fix for directory traversal bug (CVE-2006-6097),
closes: #399845 - 11. By Kees Cook
-
* SECURITY UPDATE: files can be overwritten/renamed in any writable location
in the filesystem via GNUTYPE_NAMES type.
* src/extract.c: disable GNUTYPE_NAMES type processing by default since it
allows for immediate symlink creation and renames.
* src/common.h, src/tar.c: add --allow-name-mangling option to restore
default behavior.
* References
http://archives. neohapsis. com/archives/ fulldisclosure/ 2006-11/ 0344.html - 10. By Bdale Garbee
-
* new upstream version, closes: #376816, #363943, #377124, #377330
* fix for buffer overflow in test suite, closes: #377557
* force a clean in the tests directory before running the test suite, seems
to work around test suite repeatability problems, closes: #377330, #379393
* accept patch from Raphael Bossek to zero nanoseconds, closes: #329843
* update man page to reflect change in -l definition and other misc changes
to options since man page was last updated,
closes: #384508, #391718, 361932, #315506
* stop delivering upstream README, closes: #323232 - 9. By Bdale Garbee
-
* add a NEWS.Debian file that communicates the change in wildcard processing
* re-institute the patch for filenames that are exactly 100 characters in
length originally reported in #230910, closes: #376909 - 8. By Bdale Garbee
-
* new upstream version, retrieved from alpha.gnu.org
* update date in tar.1, closes: #367290
* support rollbacks in maintainer scripts, drop removal of info since this
package no longer delivers an info doc, closes: #374461 - 6. By Martin Pitt
-
* SECURITY UPDATE: Arbitrary code execution with crafted tar files.
* src/xheader.c:
- Add a new function decode_num() which wraps xstrtoumax() and adds
boundary and sanity checking.
- Use decode_num() instead of xstrtoumax() in the code to avoid buffer
overflows on excessively large field values like GNU.sparse.numblocks.
- Patch taken from upstream CVS.
* CVE-2006-0300 - 5. By Bdale Garbee
-
* patch from LaMont to fix gcc-4.0 error in the test suite,
closes: #308815, #310830
* patch for de.po from Jens Seidel, closes: #313900
* fix amanda upstream URL in the info pages, closes: #310158
* patch from NIIBE Yutaka to support cross builds, closes: #283723 - 4. By Bdale Garbee
-
* patch from Paul Eggert that does a better job of eliminating the
dependency on (buggy) valloc, closes: #234422, #248897
* patch for typo in upstream po/de.po, closes: #154511
* switch from dh_installmanpages to dh_installman
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/tar