Debian Package Tracker

From: Magnus Holmgren <holmgren@debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted libtar 1.2.11-6+deb6u2 (source amd64)
Date: Mon, 24 Feb 2014 21:47:47 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 16 Feb 2014 19:44:16 +0100
Source: libtar
Binary: libtar-dev libtar
Architecture: source amd64
Version: 1.2.11-6+deb6u2
Distribution: squeeze-security
Urgency: low
Maintainer: Julien Danjou <acid@debian.org>
Changed-By: Magnus Holmgren <holmgren@debian.org>
Description: 
 libtar     - C library for manipulating tar archives
 libtar-dev - C library for manipulating tar archives
Closes: 731860
Changes: 
 libtar (1.2.11-6+deb6u2) squeeze-security; urgency=low
 .
   * [SECURITY] CVE-2013-4420: Strip out leading slashes and any
     pathname prefix containing ".." components (Closes: #731860). This is
     done in th_get_pathname() (as well as to symlink targets when
     extracting symlinks), not merely when extracting files, which means
     applications calling that function will not see the stored
     filename. There is no way to disable this behaviour, but it can be
     expected that one will be provided when the issue is solved upstream.
   * Make the th_get_size() macro cast the result from oct_to_int() to
     unsigned int. This is the right fix for bug #725938 on 64-bit systems,
     where a specially crafted tar file would not cause an integer
     overflow, but a memory allocation of almost 16 exbibytes, which would
     certainly fail outright without harm.
Checksums-Sha1: 
 0e62e21f544aa5328c0343a16b0804cfe2eee6a9 993 libtar_1.2.11-6+deb6u2.dsc
 e88a7588de51d6801f718f39174e49f6b138d966 255994 libtar_1.2.11-6+deb6u2.diff.gz
 ca9a8af73d5d9b23724efd7b18e32f0f00775203 43842 libtar-dev_1.2.11-6+deb6u2_amd64.deb
 cf11a974e638479f39e1896677ece6736787ff7d 22528 libtar_1.2.11-6+deb6u2_amd64.deb
Checksums-Sha256: 
 d2da6cf7d6eb5f46106cbd3bf7827f6ad165fb9abd8ecdc0d9a624cf522b83a6 993 libtar_1.2.11-6+deb6u2.dsc
 6b1062f74f7ac9312e78547975c6af0cfcc6dfce8bd0abf3b84652f0d5ddb4c6 255994 libtar_1.2.11-6+deb6u2.diff.gz
 25e5258a01ce26ee5bdf27133463a9fe462a040708673d485ae11d898daea5e3 43842 libtar-dev_1.2.11-6+deb6u2_amd64.deb
 46eb6cd01ec6c3596e754409f0e0a1b307760f2cbfe87c4c116b6071cb5a9cea 22528 libtar_1.2.11-6+deb6u2_amd64.deb
Files: 
 992791ab99bc37e4cd287f8e6cf1887a 993 libs optional libtar_1.2.11-6+deb6u2.dsc
 510f0207b558d6fb4f33b21e698bc506 255994 libs optional libtar_1.2.11-6+deb6u2.diff.gz
 13b1b12dc47bd95bdca8dab4e714fdb7 43842 libdevel optional libtar-dev_1.2.11-6+deb6u2_amd64.deb
 4a07935413607502a32fca4241f7221a 22528 libs optional libtar_1.2.11-6+deb6u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEAREIAAYFAlMDov0ACgkQk7mRNn1h4+Zj9wCffn1DOV8ICwEZQ/Kq8V/UA4m/
0PYAn2QntrBgaWO5Im21dbX8+XA6upOh
=wvG+
-----END PGP SIGNATURE-----
News for package libtar
