Your message dated Thu, 23 Feb 2006 11:32:08 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#354091: fixed in tar 1.15.1-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: tar
Version: 1.15.1-2
Severity: critical
Tags: security patch
Hi!
A while ago an exploitable buffer overflow was published in tar [1].
Unfortunately this got commonly known only recently. You can get the
patch (which was extracted from upstream CVS) from [2].
Woody's version is not affected, but Sarge's is. The patch applies
cleanly to the Sarge version as well.
Please add the CVE number to the changelog when you fix this.
Thanks,
Martin
[1] http://lists.gnu.org/archive/html/bug-tar/2005-06/msg00029.html
[2] http://patches.ubuntu.com/patches/tar.CVE-2006-0300.patch
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: tar
Source-Version: 1.15.1-3
We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:
tar_1.15.1-3.diff.gz
to pool/main/t/tar/tar_1.15.1-3.diff.gz
tar_1.15.1-3.dsc
to pool/main/t/tar/tar_1.15.1-3.dsc
tar_1.15.1-3_i386.deb
to pool/main/t/tar/tar_1.15.1-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <[EMAIL PROTECTED]> (supplier of updated tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 Feb 2006 13:02:09 -0600
Source: tar
Binary: tar
Architecture: source i386
Version: 1.15.1-3
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <[EMAIL PROTECTED]>
Changed-By: Bdale Garbee <[EMAIL PROTECTED]>
Description:
tar - GNU tar
Closes: 272888 286978 314805 319635 330187 343062 354091
Changes:
tar (1.15.1-3) unstable; urgency=high
.
* patch for src/xheader.c suggested by Martin Pitt, to fix exploitable
buffer overflow [CVE-2006-0300], closes: #354091, #314805
* change default path for rmt in lib/localedir.h to be correct for Debian
systems, closes: #319635
* updated Italian translation from Marco d'Itri, closes: #286978
* patch from Loic Minier fixing wrong matching of file names when special
characters are present, closes: #272888
* patch suggested by Stephen Frost to convert fatal error to warning when
an archive spanning multiple volumes contains a filename longer than
100 characters, closes: #330187
* patch from Peter Samuelson to fix hard link handling in the presence
of the --strip-components option, closes: #343062
* update debhelper compat level to 5
Files:
58cefb921a4b79f4c74b8bcd9516bd6b 552 base required tar_1.15.1-3.dsc
4f36ad73b51359b311d1cc09eca963ee 47142 base required tar_1.15.1-3.diff.gz
7b1aa651c91398561029d07051200b11 770876 base required tar_1.15.1-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD/gvfZKfAp/LPAagRAmcwAJ0WyzmDxhXMa2REw9hpW8IItt/t3QCfXsIb
fFdNX3grOJknRw87vgEmZCc=
=68M6
-----END PGP SIGNATURE-----
--- End Message ---
