There have been some vulnerabilities with gnu-tar (and unzip)
where arbitrary files can be overwritten during archive extraction.

The regular official FSF/GNU mirrors don't have recent tar, but a new
version is at ftp://alpha.gnu.org/gnu/tar/ (and GNU alpha (not the
hardware) mirrors).

I also read that tar-1.13.25 version has issues too which Red Hat fixed.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0399

There source is at
ftp://updates.redhat.com/6.2/en/os/SRPMS/tar-1.13.25-1.6.src.rpm.

(It looks like the archivers/unzip is already up-to-date.)

I send-pr'd this so it can be kept track of for gnu-tar.

As far as I know, all uses of tar files in the default install and with
build tools can be done with pax. A couple other operating systems happily
use a pax (or a wrapper) instead of GNU tar. I am guessing that pax is
better than any other public domain or BSD version of tar.

   Jeremy C. Reed
   http://www.reedmedia.net/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]