Rev 23 | Rev 25 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 23 | Rev 24 | ||
|---|---|---|---|
| Line 3... | Line 3... | ||
| 3 | * no_static_buffers.patch: avoid using a static buffer in |
3 | * no_static_buffers.patch: avoid using a static buffer in |
| 4 | th_get_pathname(). Taken from upstream. Needed for no_maxpathlen.patch. |
4 | th_get_pathname(). Taken from upstream. Needed for no_maxpathlen.patch. |
| 5 | * maxpathlen.patch: Fix FTBFS on Hurd by dynamically allocating path |
5 | * maxpathlen.patch: Fix FTBFS on Hurd by dynamically allocating path |
| 6 | names (Closes: #657116). Thanks to Svante Signell and Petter |
6 | names (Closes: #657116). Thanks to Svante Signell and Petter |
| 7 | Reinholdtsen. |
7 | Reinholdtsen. |
| - | 8 | * [SECURITY] CVE-2013-4420.patch: Strip out leading slashes and any |
|
| - | 9 | pathname prefix containing ".." components (Closes: #731860). This is |
|
| - | 10 | done in th_get_pathname() (as well as to symlink targets when |
|
| - | 11 | extracting symlinks), not merely when extracting files, which means |
|
| - | 12 | applications calling that function will not see the stored |
|
| - | 13 | filename. There is no way to disable this behaviour, but it can be |
|
| - | 14 | expected that one will be provided when the issue is solved upstream. |
|
| 8 | 15 | ||
| 9 | -- Magnus Holmgren <holmgren@debian.org> Thu, 13 Feb 2014 21:20:23 +0100 |
16 | -- Magnus Holmgren <holmgren@debian.org> Sat, 15 Feb 2014 21:20:03 +0100 |
| 10 | 17 | ||
| 11 | libtar (1.2.20-1) unstable; urgency=high |
18 | libtar (1.2.20-1) unstable; urgency=high |
| 12 | 19 | ||
| 13 | * [SECURITY] New upstream release. Fixes CVE-2013-4397: Integer |
20 | * [SECURITY] New upstream release. Fixes CVE-2013-4397: Integer |
| 14 | overflow (Closes: #725938). |
21 | overflow (Closes: #725938). |