Debian Bug report logs - #314805
tar: numerous bugs, possible security risk

version graph

Package: tar; Maintainer for tar is Bdale Garbee <>; Source for tar is src:tar.

Reported by: Jim Meyering <>

Date: Sat, 18 Jun 2005 16:48:02 UTC

Severity: important

Tags: patch

Found in version 1.15.1-2

Fixed in version tar/1.15.1-3

Done: Bdale Garbee <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Bdale Garbee <>:
Bug#314805; Package tar. Full text and rfc822 format available.

Acknowledgement sent to Jim Meyering <>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Jim Meyering <>
To: Debian Bug Tracking System <>
Subject: tar: numerous bugs, possible security risk
Date: Sat, 18 Jun 2005 18:32:18 +0200
Package: tar
Version: 1.15.1-2
Severity: important
Tags: patch

I've reported several problems upstream.
Here is the message with patch:

Here is a summary of the fixes:

2005-06-17  Jim Meyering  <address@hidden>

        Carefully crafted invalid headers can cause buffer overrun.
        Invalid header fields go undiagnosed.
        Some valid time strings are ignored.

        * src/xheader.c (sparse_numblocks_decoder): Remove unchecked use
        of `calloc'.  Use xcalloc instead.
        (decode_time, gid_decoder, size_decoder, uid_decoder):
        (sparse_size_decoder, sparse_offset_decoder, sparse_numblocks_decoder):
        Ensure that the result of calling xstrtoumax is no larger than
        the maximum value for the target type.  Upon any failure, exit with
        a diagnostic.
        (sparse_numblocks_decoder): Avoid buffer overrun/heap corruption:
        use x2nrealloc, rather than `n *= 2' and xrealloc(p, n,....
        (decode_time): Rewrite to accept time strings like 1119018481.000000000.
        Before, such strings were always ignored.

-- System Information:
Debian Release: testing/unstable
  APT prefers stable
  APT policy: (900, 'stable'), (100, 'unstable'), (99, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages tar depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

tar recommends no packages.

-- no debconf information

Reply sent to Bdale Garbee <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jim Meyering <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Bdale Garbee <>
Subject: Bug#314805: fixed in tar 1.15.1-3
Date: Thu, 23 Feb 2006 11:32:08 -0800
Source: tar
Source-Version: 1.15.1-3

We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:

  to pool/main/t/tar/tar_1.15.1-3.diff.gz
  to pool/main/t/tar/tar_1.15.1-3.dsc
  to pool/main/t/tar/tar_1.15.1-3_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Bdale Garbee <> (supplier of updated tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Thu, 23 Feb 2006 13:02:09 -0600
Source: tar
Binary: tar
Architecture: source i386
Version: 1.15.1-3
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <>
Changed-By: Bdale Garbee <>
 tar        - GNU tar
Closes: 272888 286978 314805 319635 330187 343062 354091
 tar (1.15.1-3) unstable; urgency=high
   * patch for src/xheader.c suggested by Martin Pitt, to fix exploitable
     buffer overflow [CVE-2006-0300], closes: #354091, #314805
   * change default path for rmt in lib/localedir.h to be correct for Debian
     systems, closes: #319635
   * updated Italian translation from Marco d'Itri, closes: #286978
   * patch from Loic Minier fixing wrong matching of file names when special
     characters are present, closes: #272888
   * patch suggested by Stephen Frost to convert fatal error to warning when
     an archive spanning multiple volumes contains a filename longer than
     100 characters, closes: #330187
   * patch from Peter Samuelson to fix hard link handling in the presence
     of the --strip-components option, closes: #343062
   * update debhelper compat level to 5
 58cefb921a4b79f4c74b8bcd9516bd6b 552 base required tar_1.15.1-3.dsc
 4f36ad73b51359b311d1cc09eca963ee 47142 base required tar_1.15.1-3.diff.gz
 7b1aa651c91398561029d07051200b11 770876 base required tar_1.15.1-3_i386.deb

Version: GnuPG v1.4.2 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 24 Jun 2007 10:40:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 21:13:53 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.