Ubuntu
tar package

Change logs for tar source package in Feisty

  1. Feisty (7.04)
  2. Change log 
  • tar (1.16-2ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: directory traversal with malicious tar files.
  * src/names.c: adjust dot dot checking, patched inline.
  * References
    CVE-2007-4131

 -- Kees Cook <email address hidden>   Tue, 28 Aug 2007 09:45:12 -0700
  • tar (1.16-2) unstable; urgency=high

  * patch from Kees Cook via upstream to disable handling of GNUTYPE_NAMES 
    by default and add a new command-line switch --allow-name-mangling to 
    re-enable it, as a fix for directory traversal bug (CVE-2006-6097), 
    closes: #399845

 -- Kees Cook <email address hidden>   Mon,  18 Dec 2006 12:17:30 +0000
  • tar (1.16-1ubuntu1) feisty; urgency=low

  * SECURITY UPDATE: files can be overwritten/renamed in any writable location
    in the filesystem via GNUTYPE_NAMES type.
  * src/extract.c: disable GNUTYPE_NAMES type processing by default since it
    allows for immediate symlink creation and renames.
  * src/common.h, src/tar.c: add --allow-name-mangling option to restore
    default behavior.
  * References
    http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html

 -- Kees Cook <email address hidden>   Wed, 22 Nov 2006 19:46:54 -0800
  • tar (1.16-1) unstable; urgency=medium

  * new upstream version, closes: #376816, #363943, #377124, #377330
  * fix for buffer overflow in test suite, closes: #377557
  * force a clean in the tests directory before running the test suite, seems
    to work around test suite repeatability problems, closes: #377330, #379393
  * accept patch from Raphael Bossek to zero nanoseconds, closes: #329843
  * update man page to reflect change in -l definition and other misc changes
    to options since man page was last updated, 
    closes: #384508, #391718, 361932, #315506
  * stop delivering upstream README, closes: #323232

 -- Ubuntu Archive Auto-Sync <email address hidden>   Wed,  08 Nov 2006 19:47:13 +0000
  • tar (1.15.91-2) unstable; urgency=low

  * add a NEWS.Debian file that communicates the change in wildcard processing
  * re-institute the patch for filenames that are exactly 100 characters in 
    length originally reported in #230910, closes: #376909

 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  10 Jul 2006 12:36:49 +0100