perl: Directory traversal in Archive::Tar (CVE-2018-12015) (#8981) · Issues · alpine / aports

perl: Directory traversal in Archive::Tar (CVE-2018-12015)

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism,
and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

References:

http://seclists.org/oss-sec/2018/q2/167
https://rt.cpan.org/Public/Bug/Display.html?id=125523

Patch:

https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5

(from redmine: issue id 8981, created on 2018-06-12, closed on 2018-07-30)

Relations:
- copied_to #8982 (closed)
- copied_to #8983 (closed)
- copied_to #8984 (closed)
- copied_to #8985 (closed)
- child #8982 (closed)
- child #8983 (closed)
- child #8984 (closed)
- child #8985 (closed)

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information