rpms/tar/devel tar-1.17-dot_dot_vuln.patch, NONE, 1.1 tar.spec, 1.61, 1.62

Radek Brich (rbrich) fedora-extras-commits at redhat.com
Tue Aug 28 11:46:42 UTC 2007 

Author: rbrich

Update of /cvs/extras/rpms/tar/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27408

Modified Files:
	tar.spec 
Added Files:
	tar-1.17-dot_dot_vuln.patch 
Log Message:
CVE-2007-4131

tar-1.17-dot_dot_vuln.patch:

--- NEW FILE tar-1.17-dot_dot_vuln.patch ---
--- tar-1.17/src/names.c.dot_dot_vuln	2007-06-28 18:19:13.000000000 +0200
+++ tar-1.17/src/names.c	2007-08-15 16:29:20.000000000 +0200
@@ -1009,11 +1009,10 @@ contains_dot_dot (char const *name)
       if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
 	return 1;
 
-      do
+      while (! ISSLASH (*p))
 	{
 	  if (! *p++)
 	    return 0;
 	}
-      while (! ISSLASH (*p));
     }
 }


Index: tar.spec
===================================================================
RCS file: /cvs/extras/rpms/tar/devel/tar.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- tar.spec	2 Jul 2007 08:26:18 -0000	1.61
+++ tar.spec	28 Aug 2007 11:46:09 -0000	1.62
@@ -2,8 +2,8 @@
 Name: tar
 Epoch: 2
 Version: 1.17
-Release: 1%{?dist}
-License: GPL
+Release: 2%{?dist}
+License: GPLv2+
 Group: Applications/Archiving
 URL: http://www.gnu.org/software/tar/
 Source0: ftp://ftp.gnu.org/pub/gnu/tar/tar-%{version}.tar.gz
@@ -14,6 +14,7 @@
 Patch3: tar-1.17-testsuite.patch
 Patch4: tar-1.17-xattrs.patch
 Patch5: tar-1.17-wildcards.patch
+Patch6: tar-1.17-dot_dot_vuln.patch
 Prereq: info
 BuildRequires: autoconf automake gzip texinfo gettext libacl-devel libselinux-devel
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -39,6 +40,7 @@
 %patch3 -p1 -b .testsuite
 %patch4 -p1 -b .xattrs
 %patch5 -p1 -b .wildcards
+%patch6 -p1 -b .dot_dot_vuln.patch
 
 %build
 %configure --bindir=/bin --libexecdir=/sbin
@@ -89,6 +91,10 @@
 %{_infodir}/tar.info*
 
 %changelog
+* Tue Aug 28 2007 Radek Brich <rbrich at redhat.com> 2:1.17-2
+- updated license tag
+- fixed CVE-2007-4131 tar directory traversal vulnerability (#251921)
+
 * Thu Jun 28 2007 Radek Brich <rbrich at redhat.com> 2:1.17-1
 - new upstream version
 - patch for wildcards (#206841), restoring old behavior

More information about the fedora-extras-commits mailing list