Debian Bug report logs -
#449544
CVE-2007-4829 directory traversal vulnerability
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#449544; Package libarchive-tar-perl.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libarchive-tar-perl
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libarchive-tar-perl.
CVE-2007-4829[0]:
| Directory traversal vulnerability in the Archive::Tar Perl module 1.36
| and earlier allows user-assisted remote attackers to overwrite
| arbitrary files via a TAR archive that contains a file whose name is
| an absolute path or has ".." sequences.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4829
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags added: pending
Request was from gregor herrmann <gregor+debian@comodo.priv.at>
to control@bugs.debian.org.
(Tue, 25 Dec 2007 23:36:05 GMT) (full text, mbox, link).
Reply sent to gregor herrmann <gregor+debian@comodo.priv.at>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #14 received at 449544-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive-tar-perl
Source-Version: 1.38-1
We believe that the bug you reported is fixed in the latest version of
libarchive-tar-perl, which is due to be installed in the Debian FTP archive:
libarchive-tar-perl_1.38-1.diff.gz
to pool/main/liba/libarchive-tar-perl/libarchive-tar-perl_1.38-1.diff.gz
libarchive-tar-perl_1.38-1.dsc
to pool/main/liba/libarchive-tar-perl/libarchive-tar-perl_1.38-1.dsc
libarchive-tar-perl_1.38-1_all.deb
to pool/main/liba/libarchive-tar-perl/libarchive-tar-perl_1.38-1_all.deb
libarchive-tar-perl_1.38.orig.tar.gz
to pool/main/liba/libarchive-tar-perl/libarchive-tar-perl_1.38.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 449544@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregor+debian@comodo.priv.at> (supplier of updated libarchive-tar-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Dec 2007 00:32:24 +0100
Source: libarchive-tar-perl
Binary: libarchive-tar-perl
Architecture: source all
Version: 1.38-1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregor+debian@comodo.priv.at>
Description:
libarchive-tar-perl - Archive::Tar - manipulate tar files in perl
Closes: 449544
Changes:
libarchive-tar-perl (1.38-1) unstable; urgency=high
.
* New upstream release:
- fixes security bug "directory traversal vulnerability" - CVE-2007-4829
(closes: #449544)
- urgency set to high because of the security fix
- add NEWS.Debian that documents the changed behaviour
* debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser
field (source stanza); Homepage field (source stanza). Removed:
Homepage pseudo-field (Description); XS-Vcs-Svn fields.
* Set Standards-Version to 3.7.3 (no changes required).
* Add libtext-diff-perl to Suggests:.
* debian/watch: use dist-based URL.
* debian/rules: use dh_listpackages to get package name.
Files:
582ba54171055261e10c7bb8b0fc6c32 1094 perl optional libarchive-tar-perl_1.38-1.dsc
17295c220b333fc4e1e3a140d3471be1 42452 perl optional libarchive-tar-perl_1.38.orig.tar.gz
c0d809daa2e3e8ad1dd95cf2078cf0d6 4281 perl optional libarchive-tar-perl_1.38-1.diff.gz
3dd3a7811e914653a6fa5893a79a3f7e 57838 perl optional libarchive-tar-perl_1.38-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFHcreR+YXjQAr8dHYRAqwnAJdb40bAGPzYT5V/m25lfzjzd7OyAJwJpXkC
RtIByZhqfXXH0DM0zi6tjw==
=QOOe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jan 2008 07:30:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:33:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon