Opened 18 years ago
Closed 18 years ago
#1767 closed defect (fixed)
Tar-1.15.1 security vulnerability
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 6.2 |
| Component: | Book | Version: | SVN |
| Severity: | blocker | Keywords: | |
| Cc: |
Description
The problem: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300
Gentoo's fix (untested by me): http://mirror.phy.olemiss.edu/mirror/gentoo-portage/app-arch/tar/files/tar-CVE-2006-0300.patch
Change History (4)
comment:1 by , 18 years ago
comment:3 by , 18 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
I've rediffed the ubuntu version and put it in patches as patch-1.15.1-security_fixes-1.patch. I don't have a specially crafted archive to test it against, but my results of extracting and creating an example tarball match the book's current version.
comment:4 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in r7520, and also added to the errata for 6.1.1.
Note:
See TracTickets
for help on using tickets.
Debian/Ubuntu is using the same patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354091
http://patches.ubuntu.com/patches/tar.CVE-2006-0300.patch
Seems like a good way to go.