perl: Directory traversal in Archive::Tar (CVE-2018-12015)
In Perl through 5.26.2, the Archive::Tar module allows remote attackers
to bypass a directory-traversal protection mechanism,
and overwrite arbitrary files, via an archive file containing a symlink
and a regular file with the same name.
References:
http://seclists.org/oss-sec/2018/q2/167
https://rt.cpan.org/Public/Bug/Display.html?id=125523
Patch:
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
(from redmine: issue id 8981, created on 2018-06-12, closed on 2018-07-30)
- Relations:
- copied_to #8982 (closed)
- copied_to #8983 (closed)
- copied_to #8984 (closed)
- copied_to #8985 (closed)
- child #8982 (closed)
- child #8983 (closed)
- child #8984 (closed)
- child #8985 (closed)