Debian-LTS has issued an advisory on October 31: http://lwn.net/Alerts/705200/ The Debian bug for this is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian has issued an advisory for this today (November 1): https://www.debian.org/security/2016/dsa-3702
Fixed package on mga5 updates_testing Fixed in cauldron too.
CC: (none) => mageiaVersion: Cauldron => 5Assignee: shlomif => qa-bugs
Advisory: ======================== Updated tar package fixes security vulnerability: Harry Sintonen discovered that GNU tar does not properly handle member names containing '..', thus allowing an attacker to bypass the path names specified on the command line and replace files and directories in the target directory (CVE-2016-6321). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 https://www.debian.org/security/2016/dsa-3702 ======================== Updated packages in core/updates_testing: ======================== tar-1.28-3.1.mga5 from tar-1.28-3.1.mga5.src.rpm
Whiteboard: MGA5TOO => (none)
MGA5-32 on AcerD620 Xfce No installation issues Did tests: Viewed existing tar file contents: OK made test files text1.txt and text..txt with some contents in ~/Downloads at CLI: tar -cf bugtest.tar text1.txt text2..txt copied bugtest.tar to ~/Documenten at CLI $ cd ../Documenten/ $ tar -xf bugtest.tar Checked files came thru OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Tested tar-1.28-3.1.mga5 on Mageia 5 64 bits in a MSI Cubi PC. Installation OK. Compressing and extracting some tar.gz files OK Compressing and extracting some tar.bz2 files OK
CC: (none) => panasum
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0386.html
Status: NEW => RESOLVEDResolution: (none) => FIXED