[3.8] perl: Directory traversal in Archive::Tar (CVE-2018-12015)
In Perl through 5.26.2, the Archive::Tar module allows remote attackers
to bypass a directory-traversal protection mechanism,
and overwrite arbitrary files, via an archive file containing a symlink
and a regular file with the same name.
References:
http://seclists.org/oss-sec/2018/q2/167
https://rt.cpan.org/Public/Bug/Display.html?id=125523
Patch:
https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
(from redmine: issue id 8982, created on 2018-06-12, closed on 2018-07-30)
- Relations:
- copied_to #8981 (closed)
- parent #8981 (closed)
- Changesets:
- Revision 599da1ef on 2018-06-13T12:08:32Z:
main/perl: security fix (CVE-2018-12015)
Fixes #8982