Skip Menu |
Report information
Id: 133250
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: carnil [at] debian.org
dom <dom [at] earth.li>
jwilk [at] jwilk.net
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In:
  • 5.26.3
  • 5.28.0



To: perl5-security-report [...] perl.org
Date: Sat, 30 Sep 2017 19:46:56 +0200
Subject: Directory traversal in Archive::Tar
From: Jakub Wilk <jwilk [...] jwilk.net>
Download (untitled) / with headers
text/plain 749b
By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. Unfortunately, you can bypass this secure extract mode easily by putting a symlink and a regular file with the same name into the tarball. Proof of concept, which makes Archive::Tar create /tmp/moo, regardless of what cwd is: $ tar -tvvf traversal.tar.gz lrwxrwxrwx root/root 0 2017-09-30 15:36 moo -> /tmp/moo -rw-r--r-- root/root 4 2017-09-30 15:36 moo $ pwd /home/jwilk $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo /tmp/moo Tested with Perl v5.26.1. -- Jakub Wilk
Download traversal.tar.gz
application/gzip 133b

Message body not shown because it is not plain text.

From: Tony Cook <tony [...] develop-help.com>
Subject: Re: [perl #132189] Directory traversal in Archive::Tar
Date: Sun, 1 Oct 2017 08:12:47 +1100
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 1.1k
On Sat, Sep 30, 2017 at 12:23:38PM -0700, Jakub Wilk wrote: Show quoted text
> # New Ticket Created by Jakub Wilk > # Please include the string: [perl #132189] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/Ticket/Display.html?id=132189 > > > > By default, the Archive::Tar module doesn't allow extracting files > outside the current working directory. Unfortunately, you can bypass > this secure extract mode easily by putting a symlink and a regular file > with the same name into the tarball. > > Proof of concept, which makes Archive::Tar create /tmp/moo, regardless > of what cwd is: > > $ tar -tvvf traversal.tar.gz > lrwxrwxrwx root/root 0 2017-09-30 15:36 moo -> /tmp/moo > -rw-r--r-- root/root 4 2017-09-30 15:36 moo > > $ pwd > /home/jwilk > > $ ls /tmp/moo > ls: cannot access '/tmp/moo': No such file or directory > > $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' > > $ ls /tmp/moo > /tmp/moo > > > Tested with Perl v5.26.1.
This needs to be reported to the Archive::Tar maintainer, not here. Tony
From: Dominic Hargreaves <dom [...] earth.li>
CC: ntyni [...] debian.org
Subject: [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
Date: Tue, 5 Jun 2018 23:00:41 +0100
To: team [...] security.debian.org, perl5-security-report [...] perl.org, chris [...] bingosnet.co.uk
Download (untitled) / with headers
text/plain 1.8k
Hi all, Please see this report of a directory traversal vulnerability in Archive::Tar, which could be trivially exploited to overwrite any file writable by the extracting user. The same problem does not exist in (eg) GNU tar, and I assume that must explicitly protect against this case. Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and 2.26 (perl 5.28.0-RC1). I expect the Debian security team (in To:) can assist by supplying a CVE if needed. Let me know if we (Debian perl maintainers) can help at all. Note: I'm reporting this in private, but it was already publically disclosed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>. Dominic. ----- Forwarded message from Jakub Wilk <jwilk@jwilk.net> ----- Date: Tue, 5 Jun 2018 19:03:33 +0200 From: Jakub Wilk <jwilk@jwilk.net> To: submit@bugs.debian.org Subject: Bug#900834: perl: Archive::Tar: directory traversal Source: perl Version: 5.26.2-5 Tags: security By default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball. I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is: $ tar -tvvf traversal.tar.gz lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo -rw-r--r-- root/root 4 2018-06-05 18:55 moo $ pwd /home/jwilk $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo /tmp/moo -- Jakub Wilk Show quoted text
_______________________________________________ Perl-maintainers mailing list Perl-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/perl-maintainers
----- End forwarded message -----
From: Salvatore Bonaccorso <carnil [...] debian.org>
CC: team [...] security.debian.org, perl5-security-report [...] perl.org, chris [...] bingosnet.co.uk, ntyni [...] debian.org
Subject: Re: [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
Date: Wed, 6 Jun 2018 06:47:04 +0200
To: Dominic Hargreaves <dom [...] earth.li>
Download (untitled) / with headers
text/plain 903b
Hi Dominic, On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote: Show quoted text
> Hi all, > > Please see this report of a directory traversal vulnerability in > Archive::Tar, which could be trivially exploited to overwrite any file > writable by the extracting user. The same problem does not exist in > (eg) GNU tar, and I assume that must explicitly protect against this > case. > > Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and > 2.26 (perl 5.28.0-RC1). > > I expect the Debian security team (in To:) can assist by supplying a > CVE if needed. Let me know if we (Debian perl maintainers) can help at > all. > > Note: I'm reporting this in private, but it was already publically > disclosed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>.
I just have requested a CVE from MITRE, will ping here again when I have the CVE assignment. Regards, Salvatore
To: Dominic Hargreaves <dom [...] earth.li>
From: Salvatore Bonaccorso <carnil [...] debian.org>
CC: team [...] security.debian.org, perl5-security-report [...] perl.org, chris [...] bingosnet.co.uk, ntyni [...] debian.org
Subject: Re: [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
Date: Thu, 7 Jun 2018 15:13:34 +0200
Hi! On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote: Show quoted text
> Hi all, > > Please see this report of a directory traversal vulnerability in > Archive::Tar, which could be trivially exploited to overwrite any file > writable by the extracting user. The same problem does not exist in > (eg) GNU tar, and I assume that must explicitly protect against this > case. > > Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and > 2.26 (perl 5.28.0-RC1). > > I expect the Debian security team (in To:) can assist by supplying a > CVE if needed. Let me know if we (Debian perl maintainers) can help at > all. > > Note: I'm reporting this in private, but it was already publically > disclosed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>.
MITRE has assigned CVE-2018-12015 for this issue. Will look if I find time to write to oss-security as well on the CVE assignment, but otherwise other distros will anyway notice once they update their CVE list. Is there a (public) upstream bugreport on it? Regards, Salvatore
To: Salvatore Bonaccorso <carnil [...] debian.org>
From: Dominic Hargreaves <dom [...] earth.li>
CC: team [...] security.debian.org, perl5-security-report [...] perl.org, chris [...] bingosnet.co.uk, ntyni [...] debian.org
Subject: Re: [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
Date: Thu, 7 Jun 2018 22:33:05 +0100
Download (untitled) / with headers
text/plain 1.5k
On Thu, Jun 07, 2018 at 03:13:34PM +0200, Salvatore Bonaccorso wrote: Show quoted text
> Hi! > > On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
> > Hi all, > > > > Please see this report of a directory traversal vulnerability in > > Archive::Tar, which could be trivially exploited to overwrite any file > > writable by the extracting user. The same problem does not exist in > > (eg) GNU tar, and I assume that must explicitly protect against this > > case. > > > > Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and > > 2.26 (perl 5.28.0-RC1). > > > > I expect the Debian security team (in To:) can assist by supplying a > > CVE if needed. Let me know if we (Debian perl maintainers) can help at > > all. > > > > Note: I'm reporting this in private, but it was already publically > > disclosed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>.
> > MITRE has assigned CVE-2018-12015 for this issue. > > Will look if I find time to write to oss-security as well on the CVE > assignment, but otherwise other distros will anyway notice once they > update their CVE list. > > Is there a (public) upstream bugreport on it?
Thanks. I've just created one here: https://rt.cpan.org/Ticket/Display.html?id=125523 I was holding off on that but since it's already public in the BTS, probably not much advantage. There was some indication that someone from p5p-security was looking into it but I'm not sure. It would probably be better if someone who already understands the code does so? Cheers, Dominic.
Subject: Re: [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
CC: team [...] security.debian.org, perl5-security-report [...] perl.org, chris [...] bingosnet.co.uk, ntyni [...] debian.org
From: Dominic Hargreaves <dom [...] earth.li>
Date: Fri, 8 Jun 2018 14:52:04 +0100
To: Salvatore Bonaccorso <carnil [...] debian.org>
Download (untitled) / with headers
text/plain 1.7k
On Thu, Jun 07, 2018 at 10:33:05PM +0100, Dominic Hargreaves wrote: Show quoted text
> On Thu, Jun 07, 2018 at 03:13:34PM +0200, Salvatore Bonaccorso wrote:
> > Hi! > > > > On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
> > > Hi all, > > > > > > Please see this report of a directory traversal vulnerability in > > > Archive::Tar, which could be trivially exploited to overwrite any file > > > writable by the extracting user. The same problem does not exist in > > > (eg) GNU tar, and I assume that must explicitly protect against this > > > case. > > > > > > Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl 5.26.2) and > > > 2.26 (perl 5.28.0-RC1). > > > > > > I expect the Debian security team (in To:) can assist by supplying a > > > CVE if needed. Let me know if we (Debian perl maintainers) can help at > > > all. > > > > > > Note: I'm reporting this in private, but it was already publically > > > disclosed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834>.
> > > > MITRE has assigned CVE-2018-12015 for this issue. > > > > Will look if I find time to write to oss-security as well on the CVE > > assignment, but otherwise other distros will anyway notice once they > > update their CVE list. > > > > Is there a (public) upstream bugreport on it?
> > Thanks. I've just created one here: > > https://rt.cpan.org/Ticket/Display.html?id=125523 > > I was holding off on that but since it's already public in the BTS, > probably not much advantage. > > There was some indication that someone from p5p-security was looking into > it but I'm not sure. It would probably be better if someone who already > understands the code does so?
There's now a proposed patch there from Petr at Redhat. Any chance someone can have a look to review it? Thanks! Dominic.
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 2.1k
On Fri, 08 Jun 2018 06:52:40 -0700, dom wrote: Show quoted text
> On Thu, Jun 07, 2018 at 10:33:05PM +0100, Dominic Hargreaves wrote:
> > On Thu, Jun 07, 2018 at 03:13:34PM +0200, Salvatore Bonaccorso wrote:
> > > Hi! > > > > > > On Tue, Jun 05, 2018 at 11:00:41PM +0100, Dominic Hargreaves wrote:
> > > > Hi all, > > > > > > > > Please see this report of a directory traversal vulnerability in > > > > Archive::Tar, which could be trivially exploited to overwrite any > > > > file > > > > writable by the extracting user. The same problem does not exist > > > > in > > > > (eg) GNU tar, and I assume that must explicitly protect against > > > > this > > > > case. > > > > > > > > Verified with Archive::Tar 2.04_01 (perl 5.24.1), 2.24 (perl > > > > 5.26.2) and > > > > 2.26 (perl 5.28.0-RC1). > > > > > > > > I expect the Debian security team (in To:) can assist by > > > > supplying a > > > > CVE if needed. Let me know if we (Debian perl maintainers) can > > > > help at > > > > all. > > > > > > > > Note: I'm reporting this in private, but it was already > > > > publically > > > > disclosed at <https://bugs.debian.org/cgi- > > > > bin/bugreport.cgi?bug=900834>.
> > > > > > MITRE has assigned CVE-2018-12015 for this issue. > > > > > > Will look if I find time to write to oss-security as well on the > > > CVE > > > assignment, but otherwise other distros will anyway notice once > > > they > > > update their CVE list. > > > > > > Is there a (public) upstream bugreport on it?
> > > > Thanks. I've just created one here: > > > > https://rt.cpan.org/Ticket/Display.html?id=125523 > > > > I was holding off on that but since it's already public in the BTS, > > probably not much advantage. > > > > There was some indication that someone from p5p-security was looking > > into > > it but I'm not sure. It would probably be better if someone who > > already > > understands the code does so?
> > There's now a proposed patch there from Petr at Redhat. Any chance > someone > can have a look to review it?
Chris has released a 2.28 with the fix: https://metacpan.org/release/BINGOS/Archive-Tar-2.28 Please ensure [perl #133250] is in the subject, I just merged four other tickets into this one. Tony
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 471b
On Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote: Show quoted text
> Chris has released a 2.28 with the fix: > > https://metacpan.org/release/BINGOS/Archive-Tar-2.28
How do we want to handle this[1] for maint releases? Do we: a) ignore it, let the users update from CPAN even with the next maint-5.26, or b) include the fix and only the fix. I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/ Tony [1] and other similar issues in the future
To: Tony Cook via RT <perl5-security-report-followup [...] perl.org>
CC: perl5-security-report [...] perl.org
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #133250] [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
Date: Thu, 9 Aug 2018 08:06:49 +0100
Download (untitled) / with headers
text/plain 791b
On Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote: Show quoted text
> On Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote:
> > Chris has released a 2.28 with the fix: > > > > https://metacpan.org/release/BINGOS/Archive-Tar-2.28
> > How do we want to handle this[1] for maint releases? > > Do we: > > a) ignore it, let the users update from CPAN even with the next maint-5.26, or > > b) include the fix and only the fix. > > I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/
I think its a subjective per-issue decision. In this case I think the issue is serious enough that we should do (b). -- The Enterprise is captured by a vastly superior alien intelligence which does not put them on trial. -- Things That Never Happen in "Star Trek" #10
CC: perl5-security-report [...] perl.org
From: Dave Mitchell <davem [...] iabyn.com>
Date: Thu, 9 Aug 2018 08:06:49 +0100
Subject: Re: [perl #133250] [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
To: Tony Cook via RT <perl5-security-report-followup [...] perl.org>
Download (untitled) / with headers
text/plain 791b
On Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote: Show quoted text
> On Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote:
> > Chris has released a 2.28 with the fix: > > > > https://metacpan.org/release/BINGOS/Archive-Tar-2.28
> > How do we want to handle this[1] for maint releases? > > Do we: > > a) ignore it, let the users update from CPAN even with the next maint-5.26, or > > b) include the fix and only the fix. > > I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/
I think its a subjective per-issue decision. In this case I think the issue is serious enough that we should do (b). -- The Enterprise is captured by a vastly superior alien intelligence which does not put them on trial. -- Things That Never Happen in "Star Trek" #10
To: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #133250] [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
Date: Sat, 11 Aug 2018 15:43:46 +0300
From: Sawyer X <xsawyerx [...] gmail.com>
CC: perl5-security-report-followup [...] perl.org, Perl 5 Security Report <perl5-security-report [...] perl.org>
Download (untitled) / with headers
text/plain 944b
I agree. We should go with (b) here.

On Thu, Aug 9, 2018 at 10:07 AM Dave Mitchell <davem@iabyn.com> wrote:
Show quoted text
On Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote:
> On Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote:
> > Chris has released a 2.28 with the fix:
> >
> > https://metacpan.org/release/BINGOS/Archive-Tar-2.28
>
> How do we want to handle this[1] for maint releases?
>
> Do we:
>
> a) ignore it, let the users update from CPAN even with the next maint-5.26, or
>
> b) include the fix and only the fix.
>
> I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/

I think its a subjective per-issue decision. In this case I think the
issue is serious enough that we should do (b).

--
The Enterprise is captured by a vastly superior alien intelligence which
does not put them on trial.
    -- Things That Never Happen in "Star Trek" #10
To: Dave Mitchell <davem [...] iabyn.com>
Date: Sat, 11 Aug 2018 15:43:46 +0300
Subject: Re: [perl #133250] [jwilk@jwilk.net: Bug#900834: perl: Archive::Tar: directory traversal]
CC: perl5-security-report-followup [...] perl.org, Perl 5 Security Report <perl5-security-report [...] perl.org>
From: Sawyer X <xsawyerx [...] gmail.com>
Download (untitled) / with headers
text/plain 944b
I agree. We should go with (b) here.

On Thu, Aug 9, 2018 at 10:07 AM Dave Mitchell <davem@iabyn.com> wrote:
Show quoted text
On Wed, Aug 08, 2018 at 06:23:16PM -0700, Tony Cook via RT wrote:
> On Fri, 08 Jun 2018 17:30:17 -0700, tonyc wrote:
> > Chris has released a 2.28 with the fix:
> >
> > https://metacpan.org/release/BINGOS/Archive-Tar-2.28
>
> How do we want to handle this[1] for maint releases?
>
> Do we:
>
> a) ignore it, let the users update from CPAN even with the next maint-5.26, or
>
> b) include the fix and only the fix.
>
> I think we've typically done a), but the dot-in-inc maint changes included changes to cpan/

I think its a subjective per-issue decision. In this case I think the
issue is serious enough that we should do (b).

--
The Enterprise is captured by a vastly superior alien intelligence which
does not put them on trial.
    -- Things That Never Happen in "Star Trek" #10
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 533b
In blead/5.28 this was fixed in 91f84d6f2b00acf02762066502c8fac8f7a11cd8 (v5.28.0-RC2-3-g91f84d6f2b). The attached patch includes the backport of *only* the CVE fix to maint-5.26. https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 An alternative might be to simply import Archive-Tar 2.28 (or 2.32) but we've typically stuck to minimal fixes for included CPAN modules. Since this issue is public, given two other votes I'll apply it immediately to maint-5.26 and make this ticket public. Tony
Subject: 0001-perl-133250-backport-CVE-2018-12015-fix.patch
From fe83582298e0746ff3b663110d5a6a4b299c96b8 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Thu, 20 Sep 2018 11:53:19 +1000 Subject: (perl #133250) backport CVE-2018-12015 fix --- Porting/Maintainers.pl | 1 + cpan/Archive-Tar/lib/Archive/Tar.pm | 17 ++++++++++++++++- t/porting/customized.dat | 1 + 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl index e9032a91f3..5f3b3141d1 100755 --- a/Porting/Maintainers.pl +++ b/Porting/Maintainers.pl @@ -126,6 +126,7 @@ use File::Glob qw(:case); 'EXCLUDED' => [ qw(t/07_ptardiff.t), ], + 'CUSTOMIZED' => [ qw(lib/Archive/Tar.pm) ], # CVE-2018-12015 }, 'Attribute::Handlers' => { diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm index d63e586317..00db612193 100644 --- a/cpan/Archive-Tar/lib/Archive/Tar.pm +++ b/cpan/Archive-Tar/lib/Archive/Tar.pm @@ -31,7 +31,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD $DEBUG = 0; $WARN = 1; $FOLLOW_SYMLINK = 0; -$VERSION = "2.24"; +$VERSION = "2.24_01"; $CHOWN = 1; $CHMOD = 1; $SAME_PERMISSIONS = $> == 0 ? 1 : 0; @@ -845,6 +845,21 @@ sub _extract_file { return; } + ### If a file system already contains a block device with the same name as + ### the being extracted regular file, we would write the file's content + ### to the block device. So remove the existing file (block device) now. + ### If an archive contains multiple same-named entries, the last one + ### should replace the previous ones. So remove the old file now. + ### If the old entry is a symlink to a file outside of the CWD, the new + ### entry would create a file there. This is CVE-2018-12015 + ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. + if (-l $full || -e _) { + if (!unlink $full) { + $self->_error( qq[Could not remove old file '$full': $!] ); + return; + } + } + if( length $entry->type && $entry->is_file ) { my $fh = IO::File->new; $fh->open( '>' . $full ) or ( diff --git a/t/porting/customized.dat b/t/porting/customized.dat index 5014b3e210..7a5c7fc0b4 100644 --- a/t/porting/customized.dat +++ b/t/porting/customized.dat @@ -1,3 +1,4 @@ +Archive::Tar cpan/Archive-Tar/lib/Archive/Tar.pm e93f3f352b4820b3ccdc1f06cb82b2102fe1de3b Digest cpan/Digest/Digest.pm 43f7f544cb11842b2f55c73e28930da50774e081 Encode cpan/Encode/Unicode/Unicode.pm 9749692c67f7d69083034de9184a93f070ab4799 ExtUtils::Constant cpan/ExtUtils-Constant/t/Constant.t a0369c919e216fb02767a637666bb4577ad79b02 -- 2.11.0
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 265b
tonyc wrote: Show quoted text
> Since this issue is public, given two other votes I'll apply it > immediately to maint-5.26 and make this ticket public.
I can't see an entry in the votes file, but please take this as my vote to merge to maint-5.26. Thanks, Tony! -- Aaron Crane
CC: Perl 5 Security Report <perl5-security-report [...] perl.org>
Date: Fri, 21 Sep 2018 13:08:02 +0300
Subject: Re: [perl #133250] CVE-2018-12015: Archive::Tar: directory traversal
From: Sawyer X <xsawyerx [...] gmail.com>
To: rt-comment [...] perl.org
Download (untitled) / with headers
text/plain 377b
Same from me. 

On Fri, Sep 21, 2018, 13:07 Aaron Crane via RT <rt-comment@perl.org> wrote:
Show quoted text
tonyc wrote:
> Since this issue is public, given two other votes I'll apply it
> immediately to maint-5.26 and make this ticket public.

I can't see an entry in the votes file, but please take this as my vote to merge to maint-5.26.

Thanks, Tony!

--
Aaron Crane
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 524b
On Fri, 21 Sep 2018 03:04:18 -0700, arc wrote: Show quoted text
> tonyc wrote:
> > Since this issue is public, given two other votes I'll apply it > > immediately to maint-5.26 and make this ticket public.
> > I can't see an entry in the votes file, but please take this as my > vote to merge to maint-5.26.
Yeah, there's no corresponding commit in blead, since that included the full upstream release rather than just the CVE fix. Applied as d0130b8d46dabdeb571fff8bbc3a791f4ea1f28c. Leaving this open until 5.26.next is released. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org