[3.7] perl: Directory traversal in Archive::Tar (CVE-2018-12015) (#8983) · Issues · alpine / aports

[3.7] perl: Directory traversal in Archive::Tar (CVE-2018-12015)

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism,
and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

References:

http://seclists.org/oss-sec/2018/q2/167
https://rt.cpan.org/Public/Bug/Display.html?id=125523

Patch:

https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5

(from redmine: issue id 8983, created on 2018-06-12, closed on 2018-07-30)

Relations:
- copied_to #8981 (closed)
- parent #8981 (closed)
Changesets:
- Revision d824c74b on 2018-06-13T12:22:51Z:

main/perl: security fix (CVE-2018-12015)

Fixes #8983

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information