Hello community, here is the log from the commit of package star checked in at Fri Aug 31 16:03:05 CEST 2007. -------- --- star/star.changes 2006-09-11 12:39:02.000000000 +0200 +++ /mounts/work_src_done/STABLE/star/star.changes 2007-08-31 15:00:33.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Aug 31 14:59:09 CEST 2007 - mkoenig@suse.de + +- fix directory traversal vulnerability CVE-2007-4134 [#302489] + +------------------------------------------------------------------- New: ---- star-CVE-2007-4134.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ star.spec ++++++ --- /var/tmp/diff_new_pack.K22906/_old 2007-08-31 16:02:36.000000000 +0200 +++ /var/tmp/diff_new_pack.K22906/_new 2007-08-31 16:02:36.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package star (Version 1.5a70) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -12,18 +12,19 @@ Name: star BuildRequires: e2fsprogs-devel libacl-devel -License: Other License(s), see package +License: Common Development and Distribution License 1.0 Group: Productivity/Archiving/Backup Autoreqprov: on Provides: rmt Version: 1.5a70 -Release: 16 +Release: 77 Source: ftp://ftp.berlios.de/pub/star/alpha/star-%{version}.tar.bz2 Source1: README-FIRST Source2: tests.tar.bz2 Patch0: star-configuration.diff Patch2: star-no_fsync.diff Patch5: rmt-move.diff +Patch6: star-CVE-2007-4134.patch URL: http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/... BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: POSIX.1-2001-Compliant Tar Implementation @@ -63,6 +64,7 @@ %patch0 -p1 %patch2 -p1 %patch5 -p1 +%patch6 %build # bugzilla#134113: incompatible license and unused: @@ -140,7 +142,9 @@ /usr/share/man/man1/star.1.gz /usr/share/man/man1/tartest.1.gz -%changelog -n star +%changelog +* Fri Aug 31 2007 - mkoenig@suse.de +- fix directory traversal vulnerability CVE-2007-4134 [#302489] * Mon Sep 11 2006 - jw@suse.de - remove unused GPL code. Fixing #134113 * Wed May 10 2006 - mmj@suse.de ++++++ star-CVE-2007-4134.patch ++++++ ------- extract.c ------- --- /tmp/sccs.tLa4Vl Di Aug 21 13:31:20 2007 +++ star/extract.c Di Aug 21 13:28:42 2007 @@ -1914,6 +1914,8 @@ return (FALSE); } while (*p != '/'); p++; + while (*p == '/') /* Skip multiple slashes */ + p++; } return (FALSE); } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org