Hi, * Niko Tyni <nt...@debian.org> [2008-12-26 21:14]: > As reported by Anna Bernathova in > > http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-436899 > > > rm -rf dir && mkdir dir && ln -s > > .//..//..//..//..//..//..//..//..//..//..//etc dir/subdir && tar -cf > > dir.tar --numeric-owner --owner=0 --group=0 dir/subdir dir/subdir/passwd > > > > and then > > > > use Archive::Tar; > > my $tar = Archive::Tar->new($ARGV[0]); > > $tar->extract(); > > > > on your archive, you will get attempt to rewrite /etc/passwd: > > This was fixed upstream in 1.39_01. Ubuntu backported the fix recently > for 5.10.0-11.1ubuntu2.2; I'm attaching their patch.
Is this different from CVE-2007-4829 which is fixed in libarchive-tar-perl 1.38-1 referring to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449544? Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgplo89sTgm6r.pgp
Description: PGP signature
