Change History (8)
comment:1 by , 17 years ago
| Milestone: | → 6.3 |
|---|---|
| Summary: | bug in tar → Security vulnerability in tar |
comment:2 by , 17 years ago
See http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00042.html for the initial patch for this and http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00043.html for a description of a minor fix that's needed in addition to it. Tar-1.16.1 should be out in about a week that fixes this bug.
comment:3 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Tar-1.16.1 is out. Test suite passes on my box (63 passes, 8 skipped), with gzip-1.3.8.
comment:4 by , 17 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Reopening - we've not yet upgraded the version of tar in the book.
comment:5 by , 17 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:6 by , 17 years ago
| Status: | new → assigned |
|---|
Note:
See TracTickets
for help on using tickets.
Thanks. For reference, this is CVE-2006-6097 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097).
Upstream would appear to favour a different approach than that taken by the patch you linked to. See http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00030.html, where it appears that they're going to remove mangle.c. I'd prefer to wait until upstream publish their recommended patch.