Ticket #1926 (closed task: fixed)

Opened 1 year ago

Last modified 7 months ago

Security vulnerability in tar

Reported by: Viper Assigned to: matthew@linuxfromscratch.org
Priority: normal Milestone:
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

https://savannah.gnu.org/bugs/index.php?18355

patch - https://savannah.gnu.org/bugs/download.php?file_id=11327

Change History

11/28/06 08:44:47 changed by matthew@linuxfromscratch.org

  • summary changed from bug in tar to Security vulnerability in tar.
  • milestone set to 6.3.

Thanks. For reference, this is CVE-2006-6097 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097).

Upstream would appear to favour a different approach than that taken by the patch you linked to. See http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00030.html, where it appears that they're going to remove mangle.c. I'd prefer to wait until upstream publish their recommended patch.

11/30/06 05:22:00 changed by matthew@linuxfromscratch.org

See http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00042.html for the initial patch for this and http://lists.gnu.org/archive/html/bug-tar/2006-11/msg00043.html for a description of a minor fix that's needed in addition to it. Tar-1.16.1 should be out in about a week that fixes this bug.

12/10/06 14:23:04 changed by robert@linuxfromscratch.org

  • status changed from new to closed.
  • resolution set to fixed.

Tar-1.16.1 is out. Test suite passes on my box (63 passes, 8 skipped), with gzip-1.3.8.

12/11/06 05:10:36 changed by matthew@linuxfromscratch.org

  • status changed from closed to reopened.
  • resolution deleted.

Reopening - we've not yet upgraded the version of tar in the book.

01/27/07 14:08:22 changed by matthew@linuxfromscratch.org

  • owner changed from lfs-book@linuxfromscratch.org to matthew@linuxfromscratch.org.
  • status changed from reopened to new.

01/27/07 14:08:33 changed by matthew@linuxfromscratch.org

  • status changed from new to assigned.

01/31/07 11:26:03 changed by matthew@linuxfromscratch.org

  • status changed from assigned to closed.
  • resolution set to fixed.

Fixed in r7902.

10/05/07 07:53:16 changed by jhuntwork@linuxfromscratch.org

  • milestone deleted.

Milestone 6.3 deleted