From 1ff2f5cb0aa2b2098f6b22b8df395c6e0d12e23e Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sun, 30 Oct 2016 07:35:31 +0100 Subject: [PATCH] Import Debian changes 1.29b-1.1 tar (1.29b-1.1) unstable; urgency=medium * Non-maintainer upload. * CVE-2016-6321: Bypassing the extract path name. When extracting, member names containing '..' components are skipped. (Closes: #842339) tar (1.29b-1) unstable; urgency=medium * re-constitute the 1.29 orig.tar with man pages as version 1.29b * re-enable parallel builds and increase build verbosity, closes: #824631 * switch to man pages provided by upstream since 1.28, closes: #827017, #391714, #473228, #524819, #711725, #720877, #766016, #779795. tar (1.29-1) unstable; urgency=medium * new upstream version, closes: #816072 tar (1.28-2) unstable; urgency=low * patch from upstream to fix --files-from and recursive extract, closes: #800380 tar (1.28-1) unstable; urgency=low * new upstream version * patch from Reiner Herrman that sets timestamp in generated manpage to latest changelog date to make building the package reproducible, closes: #774463 * patch from Lunar adding --clamp-mtime option for reproducible builds, closes: #790415 tar (1.27.1-2) unstable; urgency=low * patch from David Gilman adds watch file with signature verification, closes: #742351 * patch from David Gilman fixes problem with multi-line descriptions, closes: #593149 tar (1.27.1-1) unstable; urgency=low * new upstream version tar (1.27-4) unstable; urgency=low * add ACL, XATTR, and SELinux support by augmenting build-deps so the configure will find the right libraries, closes: #732071 tar (1.27-3) unstable; urgency=low * patch from Joey Hess to allow tar to replicate 1.26 output on behalf of pristine-tar, closes: #728025 * honor DEB_BUILD_OPTIONS parallel=, honor dpkg-buildflags in build target in addition to configure target, closes: #727196 * lower mime priority to 1 so interactive packages using the default priority of 5 win, closes: #727303 tar (1.27-2) unstable; urgency=low * claim support for mime type application/x-ustar too, and no longer explicitly mention decompression, closes: #727159 tar (1.27-1) unstable; urgency=low * new upstream version * prefix backup and restore scripts with tar- to avoid conflicts with other packages like openafs-client, closes: #724064, #724240 * move "libexec" content in tar-scripts to /usr/lib/tar, closes: #724238 tar (1.26+dfsg-10) unstable; urgency=low * tar-scripts should be optional, not required tar (1.26+dfsg-9) unstable; urgency=low * add a tar-scripts package containing the --enable-backup-scripts content, which conflicts with files in at least the dump package, closes: #293671 tar (1.26+dfsg-8) unstable; urgency=low * cherry-pick upstream commit at Pino Toscano's suggestion to fix FTBFS on hurd-i386, closes: #719863 tar (1.26+dfsg-7) unstable; urgency=low * cherry-pick upstream commit at Marc Schaeffer's suggestion to fix --compare failures, closes: #614085 tar (1.26+dfsg-6) unstable; urgency=low * cherry-pick upstream commit at Paul Eggert's suggestion to address link extraction issue, closes: #452365 tar (1.26+dfsg-5) unstable; urgency=low [ Wookey ] * Fix included gnulib so we don't get FTBFS with eglibc-2.16, closes: #693352, #701419 [ Bdale Garbee ] * update mailcap entries to use %s, closes: #681302 * include the http://www.gnu.org/software/tar/utils/tarcat script for use with multi-volume archives, closes: #492036 tar (1.26+dfsg-0.1) unstable; urgency=low * non-maintainer upload * remove unused and non-DFSG compliant doc/*.texi and doc/*.info* files from source, closes: #695803 tar (1.26-4) unstable; urgency=low * mark "Mult-Arch: foreign" to ease crossgrading, closes: #649478 * hardened build flags patch from Moritz Huehlenhoff, closes: #653722 tar (1.26-3) unstable; urgency=low * only run listed03.at on Linux systems synce upstream says it's known to fail on BSD, apparently including our kfreebsd variants, closes: #639178 tar (1.26-2) unstable; urgency=low * clean up various lintian warnings tar (1.26-1) unstable; urgency=low * new upstream version * add a check to the rules file to ensure test suite is not attempted while building as root, closes: #596268 tar (1.25-3) unstable; urgency=low * cherry-pick some upstream commits that appear to address open bugs * fix for --one-file-system and --listed-incremental together, closes: #603371, #604394, #604698 * fix for FreeBSD symlink incompatibility with POSIX, closes: #602241 tar (1.25-2) unstable; urgency=low * accept a "hack" from Joey Hess to work around an unfortunate side effect of removing the patch to src/create.c regarding links of 100 chars in 1.23-4 that broke pristine-tar in some cases. The "fix" is to support the old behavior if the environment variable TAR_LONGLINK_100 is set, which pristine-tar knows about and will use when necessary but which should never be used by anyone else! closes: #603231 tar (1.25-1) unstable; urgency=low * new upstream version, closes: #602184, #602209, #602413, #575298 * Add Vcs-Git, Vcs-Browser fields to debian/control using patch from Simon McVittie's 1.24-1.1 NMU, closes: #602639, #602709 * stop patching src/list.c since it now does more harm than good, and add a Breaks against old dpkg versions, closes: #522858 tar (1.24-1) unstable; urgency=low * new upstream version tar (1.23-4) unstable; urgency=low * revert patch to src/create.c introduced in 2004 to fix a dpkg bug long since resolved, closes: #598345 tar (1.23-3) unstable; urgency=medium * add xz-utils back to the Suggests list since it may not be 'required' forever * current debhelper includes trigger support, closes: #561598 * patch from upstream to fix ability of rmt to accept mixed file mode representations, closes: #587702, #597672 tar (1.23-2.1) unstable; urgency=low * Non-maintainer upload. * src/extract.c: Apply upstream git commit b60e56fd which fixes a dead loop on extracting existing symlinks with the -k option, closes: #577978, #576876. tar (1.23-2) unstable; urgency=low * use xz when lzma is called for, and stop suggesting both lzma since it's no longer used, and xz-utils since it's now priority required, closes: #582706, #523494 tar (1.23-1) unstable; urgency=low * new upstream version, fixes security issue in rmt (CVE-2010-0624) * add suggests for lzma and xz-utils, closes: #523499 tar (1.22-2) unstable; urgency=low * Add Carl Worth as an uploader. * Fix to allow parallel build (-j2), closes: #535319 * Don't close file stream before EOF, closes: #525818 * Preserve hard links with --remove-files, closes: #188663 Thanks to Ted T'so for the idea and Sergey Poznyakoff for cleaning up my original implementation. * Respect DEB_BUILD_OPTIONS=nocheck to conform with Policy 3.8.2 tar (1.22-1.1) unstable; urgency=low * Non-maintainer upload. * Set SIGPIPE to default action, patch from upstream. (closes: #532570) tar (1.22-1) unstable; urgency=low * new upstream version * version the Replaces entry for cpio, closes: #483355 * move config.* update to configure target, yields a smaller diff that doesn't clash with git-buildpackage... already had autotools-dev build dep! * script debian/tarman contributed by Marcus Watts now used to create tar.1 by processing usage text in source code! Partial fix for #473328. closes: #515578, #429776, #411707, tar (1.20-1) unstable; urgency=low * new upstream version tar (1.19-3) unstable; urgency=low * upstream patch to remove error message when updating a non-existing archive * patch from Phil Hands for man page prevents URL splitting, closes: #463215 tar (1.19-2) unstable; urgency=low * patch from Ubuntu to fix FTBFS with gcc-4.3, closes: #452096, #441606 * more descriptive short description in control, closes: #406301 tar (1.19-1) unstable; urgency=low * new upstream version * no need to deliver license text, as GPL-3 is in common-licenses now tar (1.18-3) unstable; urgency=high * fix build with gcc-4.3, closes: #441606 tar (1.18-2) unstable; urgency=high * patch from Neil Moore improving the man page, closes: #439916 * patch from Justin Pryzby improving the man page, closes: #433553 * patch from upstream to fix directory traversal concern on extraction documented in (CVE-2007-4131), closes: #439335 * urgency to high since preceding bug has having security implications tar (1.18-1) unstable; urgency=low * new upstream version, closes: #429417, #426808 * include COPYING file containing GPLv3 until base-file is updated * fix filename of NEWS.Debian so that it actually gets delivered * patch from Wim De Smet to document --strip in the man page, closes: #417810 * patch from upstream CVS to fix --verify on large files, closes: #422718 * add suggest of ncompress mirroring suggest of bzip2 to enable optional functionality, closes: #122451 tar (1.16.1-1) unstable; urgency=low * new upstream version, closes: #402179 * updated Russian translation from Yuriy Talakan, closes: #411613 tar (1.16-2) unstable; urgency=high * patch from Kees Cook via upstream to disable handling of GNUTYPE_NAMES by default and add a new command-line switch --allow-name-mangling to re-enable it, as a fix for directory traversal bug (CVE-2006-6097), closes: #399845 tar (1.16-1) unstable; urgency=medium * new upstream version, closes: #376816, #363943, #377124, #377330 * fix for buffer overflow in test suite, closes: #377557 * force a clean in the tests directory before running the test suite, seems to work around test suite repeatability problems, closes: #377330, #379393 * accept patch from Raphael Bossek to zero nanoseconds, closes: #329843 * update man page to reflect change in -l definition and other misc changes to options since man page was last updated, closes: #384508, #391718, 361932, #315506 * stop delivering upstream README, closes: #323232 tar (1.15.91-2) unstable; urgency=low * add a NEWS.Debian file that communicates the change in wildcard processing * re-institute the patch for filenames that are exactly 100 characters in length originally reported in #230910, closes: #376909 tar (1.15.91-1) unstable; urgency=low * new upstream version, retrieved from alpha.gnu.org * update date in tar.1, closes: #367290 * support rollbacks in maintainer scripts, drop removal of info since this package no longer delivers an info doc, closes: #374461 tar (1.15.1dfsg-3) unstable; urgency=low * revert to upstream auto* products and take a different approach to eliding doc/ contents, since I'm clearly just not smart enough to use auto* tools without breaking more than I fix, closes: #362249 tar (1.15.1dfsg-2) unstable; urgency=low * run aclocal and automake to get last reference to doc subdir out of Makefile.in, closes: #361931 tar (1.15.1dfsg-1) unstable; urgency=low * remove the documentation source from this package, since it is licensed under the GFDL with invariant cover texts that upstream is unwilling or unable to to remove, closes: #357259 * remove install-info call from postinst, since it is no longer relevant * include URL for the online version of the tar documentation in the man page * run make with same env vars set as configure to avoid situation where make re-running configure causes rsh to not be found, etc, closes: #356657 * another patch from Goswin to fix test failures on amd64, closes: #354847 tar (1.15.1-6) unstable; urgency=low * patch from upstream to fix incorrect listing of a non-existing section as invariant in the GFDL license header, closes: #357259 tar (1.15.1-5) unstable; urgency=low * patch from Goswin von Brederlow to sort tar output in test suite to compensate for different file order when ext3 option dir_index is enabled on build system, first seen on amd64 autobuilder, closes: #354847 tar (1.15.1-4) unstable; urgency=low * change section from base to utils to resolve override disparity * add build dependency on autoconf, closes: #354194 tar (1.15.1-3) unstable; urgency=high * patch for src/xheader.c suggested by Martin Pitt, to fix exploitable buffer overflow [CVE-2006-0300], closes: #354091, #314805 * change default path for rmt in lib/localedir.h to be correct for Debian systems, closes: #319635 * updated Italian translation from Marco d'Itri, closes: #286978 * patch from Loic Minier fixing wrong matching of file names when special characters are present, closes: #272888 * patch suggested by Stephen Frost to convert fatal error to warning when an archive spanning multiple volumes contains a filename longer than 100 characters, closes: #330187 * patch from Peter Samuelson to fix hard link handling in the presence of the --strip-components option, closes: #343062 * update debhelper compat level to 5 tar (1.15.1-2) unstable; urgency=low * patch from LaMont to fix gcc-4.0 error in the test suite, closes: #308815, #310830 * patch for de.po from Jens Seidel, closes: #313900 * fix amanda upstream URL in the info pages, closes: #310158 * patch from NIIBE Yutaka to support cross builds, closes: #283723 tar (1.15.1-1) unstable; urgency=low * new upstream version, closes: #292255, #287251, #255067 * fetch tests/append.at from CVS since it was omitted from the 1.15.1 tarball, and update the regression test invocation in debian/rules * tweaks to man page, closes: #265615 * add --libexecdir definition to configure call, closes: #307070, #291068 * stop trying to link /sbin/rmt, closes: #287217, #156550 * add --owner to man page, closes: #204848 * only mention --totals once in man page, closes: #288002 tar (1.14-2) unstable; urgency=low * patch from Paul Eggert that does a better job of eliminating the dependency on (buggy) valloc, closes: #234422, #248897 * patch for typo in upstream po/de.po, closes: #154511 * switch from dh_installmanpages to dh_installman tar (1.14-1) unstable; urgency=low * new upstream version, closes: #252491, #242231 * eliminate autoconf and automake build dependencies * fix a bash-ism in the prerm for POSIX shell users * change valloc to malloc when allocating record_start, closes: #234422 tar (1.13.93-4) unstable; urgency=high * patch to stop issuing lone zero block warnings, closes: #235820 * patch to clean up hyphenation in man page, closes: #185670 * clean up manpage discussion of exclude and exclude-from, closes: #146196 * turn on regression tests in the build process tar (1.13.93-3) unstable; urgency=high * patch from upstream converts lone zero block errors to warnings, closes: #235821 tar (1.13.93-2) unstable; urgency=high * recover portion of patch from Ingo Saitz included in 1.13.92-4 that got lost when merging 1.13.93 upstream (argh!), closes: 230910 tar (1.13.93-1) unstable; urgency=low * new upstream version tar (1.13.92-5) unstable; urgency=low * patch from Paul Eggert to revert bogus behavior where POSIXLY_CORRECT set in the environment forced 'pax' format archives, closes: #230872 * add a lintian override for rmt's man page, since delivering it as an alternative makes the filename no longer match the script and symlink delivered for the binary tar (1.13.92-4) unstable; urgency=low * patch from Ingo Saitz to avoid creating archives with shortnames of 100 characters, since it can cause dpkg problems, closes: #230910 * fix typo in info page, closes: #222569 tar (1.13.92-3) unstable; urgency=low * freshen build dependencies to use automaken * lose /usr/share/info/dir*gz, closes: #230418 * reinstate content for mime-support, closes: #111893 * implement alternatives for rmt, the version provided with dump will get higher priority than the one in tar since it's better - see #183901 tar (1.13.92-2) unstable; urgency=low * patches from CVS to stop stripping './' prefix from filenames, and to fix --no-recursion, closes: #230431, #230434 tar (1.13.92-1) unstable; urgency=low * new upstream version, closes: #229827 tar (1.13.25-6) unstable; urgency=low * accept patch from Goswin Brederlow to hard-code RSH definition in rules file, eliminating rsh-client from build deps, closes: #185594, #200042 * patch from Marc SCHAEFER to fix symlink extraction as empty files, closes: #149532 tar (1.13.25-5) unstable; urgency=low * include fresher config.sub/guess, update in debian/rules, closes: #165778 tar (1.13.25-4) unstable; urgency=high * apply patch for path vulnerabilities documented in CVE CAN-2002-0399, make urgency high since this is a security issue, closes: #163152 * include improved tar.1 man page from Andrew Moise tar (1.13.25-3) unstable; urgency=low * apply patch to the Debian-originated tar manpage from Pedro Zorzenon Neto to clarify the value of using --bzip2 in scripts instead of -j to ensure compatibility with both old and new versions of tar. closes: #142242, #83233 * fix capitalization concern in the control file, closes: #125629 tar (1.13.25-2) unstable; urgency=medium * add a README.Debian that clarifies the situation with respect to 'compress' in Debian and the impact on the -Z and related options, closes: #122336 * patch from Mark Eichin to fix archive corruption in special cases, which has been accepted upstream for next release. closes: #126274 tar (1.13.25-1) unstable; urgency=medium * new upstream version (bug fixes), closes: #113531 * start having tar provide rmt, which means conflicting with and replacing cpio versions prior to the cutover, closes: #94257, #90794 * make medium urgency, since we really want this and the associated cpio upload to both be in woody! tar (1.13.22-1) unstable; urgency=medium * new upstream version, released specifically to help close bugs in woody upstream (Paul Eggert) says: regarding 1.13.22 This fixes Debian bug 92106, in addition to the bug fixes I already reported to you for GNU tar 1.13.20 and 1.13.21. It also fixes a core-dump bug for tar 1.13.19 and later, reported to bug-tar. regarding 1.13.21 This fixes Debian bug 95984, in addition to the bug fixes I already reported to you for 1.13.20. It also upgrades tar to use gettext 0.10.39. regarding 1.13.20 I haven't had time to fix all or even most of the bugs, but I suggest closing out or modifying the following bug reports: 13312 I changed tar to avoid the problem (I hope; I can't test it). 52092 Fixed. 58890 Fixed, I think -- at least, I can't reproduce it now. 65719 Not a bug? last message in that bug report says it works for him. 77664 Not a bug. In that context FOO:BAR means 'file BAR on host FOO'. 78179 Sorry, I don't follow this report. Tar does strip leading '/'s for me. 83458 Fixed. 83735 Fixed. 85400 Fixed for the info page only. The man page is not part of tar-1.13.20. 90794 This partly seems to be a Debian packaging problem; see 94257. 94287 Fixed. 95344 Fixed. 95984 Not fixed in 1.13.20, but will be fixed in next version. 99655 Fixed. 100883 This bug report applies to the Debian distribution only. 100885 Not a bug; see its last message. 105744 Not a bug; see its last message. closes: #92106, #95984, #13312, #52092, #58890, #65719, #77664, #78179 closes: #83458, #83735, #94287, #95344, #99655, #100885, #105744 * add documentation for --rsh-command to the Debian-provided man page, closes: #85400 * fix Debian-provided man page's reference to --exclude, closes: #100883 tar (1.13.19-1) unstable; urgency=low * new upstream version, -I no longer a valid option, closes: #81556 * freshen debian/copyright tar (1.13.18-2) unstable; urgency=low * update (Debian-only, not part of upstream release) man page for tar to reflect change from -I to -j for bzip2 support, closes: #80331 tar (1.13.18-1) unstable; urgency=low * new upstream version, closes: #57436, #51889 * add suggestion for bzip2, closes: #64279 * this package is pristine upstream source plus the debian/ directory, so there should be no issues compiling on any platform, closes: #58171 tar (1.13.17-2) frozen unstable; urgency=low * reconfigure, recompile to fix compile from source problem, closes: #60824 tar (1.13.17-1) unstable; urgency=low * new upstream source from alpha.gnu.org recommended by uptream maintainer Paul Eggert. * this version should handle multibyte encoded filenames, closes: #25140 * upstream says the problem reported with -g is unreproducible in this version, closes: #23511 * this version excludes sockets when building archives, closes: #51064 tar (1.13.15-1) unstable; urgency=low * new upstream source from alpha.gnu.org recommended by uptream maintainer Paul Eggert. * update to current policy * can't reproduce problem with remote host access reported in 1.13.11-2, assuming it's fixed, closes: #45647 * upstream has not picked up our tar.1 manpage, so we'll try to keep it up to date, closes: #50856 tar (1.13.14-5) unstable; urgency=low * minor tweaks to clean up our diff, pointed out by the upstream maintainer tar (1.13.14-4) unstable; urgency=low * update upstream maintainer and copyright references, etc tar (1.13.14-3) unstable; urgency=low * fix default device in man page, closes: 50856 tar (1.13.14-2) unstable; urgency=low * fold in Torsten's work that closes: #50553 * upstream folks indicate that $TAPE does not override -f in 1.13.14, closes: #47664 * 1.13.14 has an updated man page that closes: #48603 * the -X stuff has supposedly been fixed since 1.13.12, closes: #43826 * rename upstream ChangeLog to changelog in the Debian package to satisfy lintian/policy tar (1.13.14-1.1) unstable; urgency=low * Non maintainer upload. * Moved the AC_LINK_FILES in configure.in inside the if (closes: #50553) tar (1.13.14-1) unstable; urgency=low * new upstream source from alpha.gnu.org recommended by uptream maintainer Paul Eggert. tar (1.13.11-2) unstable; urgency=low * fix error in man page, closes: #44610 * patch from upstream that closes: #44827 tar (1.13.11-1) unstable; urgency=low * new upstream source from alpha.gnu.org recommended by uptream maintainer Paul Eggert. * move to FHS compliance with new debhelper tar (1.13.6-1) unstable; urgency=medium * new upstream source from alpha.gnu.org recommended by uptream maintainer Paul Eggert. * bzip2 support is back, now with option '-y' instead of '-I'... rejoice! Closes: #42428, #42562, #42572, #42661, #42772 * Paul claims that the -X option is fixed again, Closes: #42552 * add mime-support goo, Closes: #26706 * close bug reports I forgot to close last time, Closes: #33134, #37659 tar (1.13-3) unstable; urgency=low * include more docs in /usr/doc/tar, closes 33134 * minor tweak to tar.1, closes 37659 tar (1.13-2) unstable; urgency=low * back out hacks we had made to 1.12 that seem to be causing problems in 1.13, getting essentially to pristine 1.13 source plus debian control files tar (1.13-1) unstable; urgency=low * new upstream source tar (1.12-9) unstable; urgency=low * fix some issues with the contest of the po directory in my CVS repository tar (1.12-8) unstable; urgency=low * update to handle changes in automake tar (1.12-7) frozen unstable; urgency=low * merge new version of Italian translation, closes 30284 * merge README.debian with copyright, closes 22370 tar (1.12-6) frozen unstable; urgency=low * update manpage to document -I, closes 21224 tar (1.12-5) frozen unstable; urgency=low * fix for erroneous time reports from --totals from Rob Browning, closes 18345 * add --numeric-owner to man page, closes 20801 * add some examples to the man page, closes 20290 tar (1.12-4) unstable; urgency=low * move from debmake to debhelper * address lintian error reports * apply patch from amanda distribution to fix read errors on sparse files. This should close 16694. * updated dds2tar patch to restore proper operation of 'v' option. This was causing corrupted archives when stdout was used. Closes 17857, 17916. tar (1.12-3) unstable; urgency=low * apply patch to support dds2tar-2.4.15, closes bug 10774 * apply patch to support use of bzip2, closes bugs 16280, 17221 tar (1.12-2) unstable; urgency=low * libc6 * Folded in some of Michael Dorman's changes for alpha, which are really libc6 changes. Closes bug 8823. tar (1.12-1) unstable; urgency=low * New upstream version. tar (1.11.8-11) stable frozen unstable; urgency=low * back out the change made for 1.11.8-8, since it isn't really effective, and caused several folks grief. Closes bug 8040. tar (1.11.8-10) stable frozen unstable; urgency=low * rework debian/rules for CFLAGS as per policy. Closes bug 8065. tar (1.11.8-9) unstable; urgency=medium * debmake shoved a man page for a porting utility (ansi2knr) that is in the tar source tree into the package. Fixes bug 7408. tar (1.11.8-8) unstable; urgency=medium * patch from the net for a quasi-security issue. changes the behavior during extracts, so that tar won't create inappropriate setuid files from nonexistent users. tar (1.11.8-7) unstable; urgency=medium * updated to current package standards * patch from the net that fixes sporadic multi-vol seg faults --- debian/changelog | 9 +++-- debian/control | 2 +- .../When-extracting-skip-.-members.patch | 33 +++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 debian/patches/When-extracting-skip-.-members.patch diff --git a/debian/changelog b/debian/changelog index 50bf1d2d..c885a97e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,11 @@ -tar (1.29b-2) UNRELEASED; urgency=medium +tar (1.29b-1.1) unstable; urgency=medium - * add suggests tar-doc, closes: #856958 + * Non-maintainer upload. + * CVE-2016-6321: Bypassing the extract path name. + When extracting, member names containing '..' components are skipped. + (Closes: #842339) - -- Bdale Garbee Tue, 07 Mar 2017 08:49:50 -0700 + -- Salvatore Bonaccorso Sun, 30 Oct 2016 07:35:31 +0100 tar (1.29b-1) unstable; urgency=medium diff --git a/debian/control b/debian/control index 71c9c7cd..9440bd40 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Essential: yes Conflicts: cpio (<= 2.4.2-38) Replaces: cpio (<< 2.4.2-39) Breaks: dpkg-dev (<< 1.14.26) -Suggests: bzip2, ncompress, xz-utils, tar-scripts, tar-doc +Suggests: bzip2, ncompress, xz-utils, tar-scripts Description: GNU version of the tar archiving utility Tar is a program for packaging a set of files as a single archive in tar format. The function it performs is conceptually similar to cpio, and to diff --git a/debian/patches/When-extracting-skip-.-members.patch b/debian/patches/When-extracting-skip-.-members.patch new file mode 100644 index 00000000..b6241370 --- /dev/null +++ b/debian/patches/When-extracting-skip-.-members.patch @@ -0,0 +1,33 @@ +Description: When extracting, skip ".." members (CVE-2016-6321) +Origin: upstream, http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d +Bug-Debian: https://bugs.debian.org/842339 +Forwarded: not-needed. +Author: Paul Eggert +Last-Update: 2016-10-30 +--- + src/extract.c | 8 ++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/src/extract.c ++++ b/src/extract.c +@@ -1629,12 +1629,20 @@ extract_archive (void) + { + char typeflag; + tar_extractor_t fun; ++ bool skip_dotdot_name; + + fatal_exit_hook = extract_finish; + + set_next_block_after (current_header); + ++ skip_dotdot_name = (!absolute_names_option ++ && contains_dot_dot (current_stat_info.orig_file_name)); ++ if (skip_dotdot_name) ++ ERROR ((0, 0, _("%s: Member name contains '..'"), ++ quotearg_colon (current_stat_info.orig_file_name))); ++ + if (!current_stat_info.file_name[0] ++ || skip_dotdot_name + || (interactive_option + && !confirm ("extract", current_stat_info.file_name))) + { diff --git a/debian/patches/series b/debian/patches/series index b7090e0d..7c899e57 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ pristine-tar.diff listed03-linux-only rmt.8-header-wrong +When-extracting-skip-.-members.patch -- 2.30.2