Back to libtar PTS page

Accepted libtar 1.2.16-1+deb7u2 (source amd64)

To: debian-changes@lists.debian.org
Subject: Accepted libtar 1.2.16-1+deb7u2 (source amd64)
From: Magnus Holmgren <holmgren@debian.org>
Date: Mon, 24 Feb 2014 21:47:17 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1WI3Mr-00015f-QS@franck.debian.org>
Reply-to: debian-devel@lists.debian.org
Sender: Archive Administrator <dak@franck.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 16 Feb 2014 19:12:18 +0100
Source: libtar
Binary: libtar-dev libtar0
Architecture: source amd64
Version: 1.2.16-1+deb7u2
Distribution: wheezy-security
Urgency: low
Maintainer: Magnus Holmgren <holmgren@debian.org>
Changed-By: Magnus Holmgren <holmgren@debian.org>
Description: 
 libtar-dev - C library for manipulating tar archives (development files)
 libtar0    - C library for manipulating tar archives
Closes: 731860
Changes: 
 libtar (1.2.16-1+deb7u2) wheezy-security; urgency=low
 .
   * [SECURITY] CVE-2013-4420.patch: Strip out leading slashes and any
     pathname prefix containing ".." components (Closes: #731860). This is
     done in th_get_pathname() (as well as to symlink targets when
     extracting symlinks), not merely when extracting files, which means
     applications calling that function will not see the stored
     filename. There is no way to disable this behaviour, but it can be
     expected that one will be provided when the issue is solved upstream.
   * th_get_size-unsigned-int.patch: Make the th_get_size() macro cast the
     result from oct_to_int() to unsigned int. This is the right fix for
     bug #725938 on 64-bit systems, where a specially crafted tar file
     would not cause an integer overflow, but a memory allocation of almost
     16 exbibytes, which would certainly fail outright without harm.
Checksums-Sha1: 
 802ffdebb5f65af2e74f65f9b5a503b5e0d53855 1251 libtar_1.2.16-1+deb7u2.dsc
 18afc654c0f8a212d5b958e4b7875919ba642d45 7707 libtar_1.2.16-1+deb7u2.debian.tar.gz
 c169e3aa47d06f244db8c2c779efcad9c6ce33dd 46670 libtar-dev_1.2.16-1+deb7u2_amd64.deb
 05594ff225883b61b75a4aa065336c36487dfbc5 25210 libtar0_1.2.16-1+deb7u2_amd64.deb
Checksums-Sha256: 
 b63c5e990dccc47c6e969849cbe151510516459e3ba975135c3f6ed4f6816ace 1251 libtar_1.2.16-1+deb7u2.dsc
 1cfa13f3a03db741ad8caf21cd28ba171cab26f0edf7f1d3227d0661ab47d572 7707 libtar_1.2.16-1+deb7u2.debian.tar.gz
 6ab5b85bb870d5b728904898620306e03dcbac2feeb61965ddca22fb9d6dafb8 46670 libtar-dev_1.2.16-1+deb7u2_amd64.deb
 2af1b13ed40acbc856e1430c4a1cf90832efe814aae51d9f8522bd7e943fdbec 25210 libtar0_1.2.16-1+deb7u2_amd64.deb
Files: 
 dee0c9ae99dcd5c12a887ede6e50f645 1251 libs optional libtar_1.2.16-1+deb7u2.dsc
 fe4bd92a58df28f61b943fcaf8b439f5 7707 libs optional libtar_1.2.16-1+deb7u2.debian.tar.gz
 c35289858ccbeded669071349793b833 46670 libdevel optional libtar-dev_1.2.16-1+deb7u2_amd64.deb
 50ffe04c880ae9319c6c4f05aedeeabd 25210 libs optional libtar0_1.2.16-1+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEAREIAAYFAlMBCYYACgkQk7mRNn1h4+bhUACeIzUS2mmZ429Jzs3z4jo0m8nr
whcAmgJEDIxrnHYNmgjX7vWSd3ypSLcL
=zEq8
-----END PGP SIGNATURE-----