lp:ubuntu/feisty-security/tar

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

13. By Kees Cook on 2007-08-28

* SECURITY UPDATE: directory traversal with malicious tar files.
* src/names.c: adjust dot dot checking, patched inline.
* References
  CVE-2007-4131

12. By Bdale Garbee on 2006-12-01

patch from Kees Cook via upstream to disable handling of GNUTYPE_NAMES
by default and add a new command-line switch --allow-name-mangling to
re-enable it, as a fix for directory traversal bug (CVE-2006-6097),
closes: #399845

11. By Kees Cook on 2006-11-22

* SECURITY UPDATE: files can be overwritten/renamed in any writable location
  in the filesystem via GNUTYPE_NAMES type.
* src/extract.c: disable GNUTYPE_NAMES type processing by default since it
  allows for immediate symlink creation and renames.
* src/common.h, src/tar.c: add --allow-name-mangling option to restore
  default behavior.
* References
  http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html

10. By Bdale Garbee on 2006-10-24

* new upstream version, closes: #376816, #363943, #377124, #377330
* fix for buffer overflow in test suite, closes: #377557
* force a clean in the tests directory before running the test suite, seems
  to work around test suite repeatability problems, closes: #377330, #379393
* accept patch from Raphael Bossek to zero nanoseconds, closes: #329843
* update man page to reflect change in -l definition and other misc changes
  to options since man page was last updated,
  closes: #384508, #391718, 361932, #315506
* stop delivering upstream README, closes: #323232

9. By Bdale Garbee on 2006-07-06

* add a NEWS.Debian file that communicates the change in wildcard processing
* re-institute the patch for filenames that are exactly 100 characters in
  length originally reported in #230910, closes: #376909

8. By Bdale Garbee on 2006-06-22

* new upstream version, retrieved from alpha.gnu.org
* update date in tar.1, closes: #367290
* support rollbacks in maintainer scripts, drop removal of info since this
  package no longer delivers an info doc, closes: #374461

7. By Ian Jackson on 2006-04-05

Do not mess with directory permissions when extracting
without -p. Malone 19540.

6. By Martin Pitt on 2006-02-23

* SECURITY UPDATE: Arbitrary code execution with crafted tar files.
* src/xheader.c:
  - Add a new function decode_num() which wraps xstrtoumax() and adds
    boundary and sanity checking.
  - Use decode_num() instead of xstrtoumax() in the code to avoid buffer
    overflows on excessively large field values like GNU.sparse.numblocks.
  - Patch taken from upstream CVS.
* CVE-2006-0300

5. By Bdale Garbee on 2005-06-14

* patch from LaMont to fix gcc-4.0 error in the test suite,
  closes: #308815, #310830
* patch for de.po from Jens Seidel, closes: #313900
* fix amanda upstream URL in the info pages, closes: #310158
* patch from NIIBE Yutaka to support cross builds, closes: #283723

4. By Bdale Garbee on 2004-08-03

* patch from Paul Eggert that does a better job of eliminating the
  dependency on (buggy) valloc, closes: #234422, #248897
* patch for typo in upstream po/de.po, closes: #154511
* switch from dh_installmanpages to dh_installman