Change log for tar package in Ubuntu

tar (1.23-3) unstable; urgency=medium

  * add xz-utils back to the Suggests list since it may not be 'required'
    forever
  * current debhelper includes trigger support, closes: #561598
  * patch from upstream to fix ability of rmt to accept mixed file mode
    representations, closes: #587702, #597672

Available diffs

• diff from 1.23-2 to 1.23-3 (2.6 KiB)

tar (1.22-2ubuntu1) lucid-proposed; urgency=low

  * lib/utimens.c: Patch from Debian bug #563726 to ensure that futimens
    is only called with a valid file descriptor. Fixes bootstrapping Lucid
    from Dapper (LP: #539814)
 -- Keith Ward <email address hidden>   Tue, 24 Aug 2010 18:50:56 +0200

Available diffs

• diff from 1.22-2 to 1.22-2ubuntu1 (872 bytes)

tar (1.23-2) unstable; urgency=low

  * use xz when lzma is called for, and stop suggesting both lzma since it's
    no longer used, and xz-utils since it's now priority required,
    closes: #582706, #523494
 -- Ubuntu Archive Auto-Sync <email address hidden>   Tue,  15 Jun 2010 10:11:14 +0100

Available diffs

• diff from 1.23-1 to 1.23-2 (1.6 KiB)

tar (1.23-1) unstable; urgency=low

  * new upstream version, fixes security issue in rmt (CVE-2010-0624)
  * add suggests for lzma and xz-utils, closes: #523499
 -- Ubuntu Archive Auto-Sync <email address hidden>   Sun,  09 May 2010 14:03:47 +0100

Available diffs

• diff from 1.22-2 to 1.23-1 (2.2 MiB)

tar (1.22-2) unstable; urgency=low

  * Add Carl Worth as an uploader.
  * Fix to allow parallel build (-j2), closes: #535319
  * Don't close file stream before EOF, closes: #525818
  * Preserve hard links with --remove-files, closes: #188663
    Thanks to Ted T'so for the idea and Sergey Poznyakoff for
    cleaning up my original implementation.
  * Respect DEB_BUILD_OPTIONS=nocheck to conform with Policy 3.8.2

Available diffs

• diff from 1.22-1 to 1.22-2 (3.1 KiB)

tar (1.22-1) unstable; urgency=low

  * new upstream version
  * version the Replaces entry for cpio, closes: #483355
  * move config.* update to configure target, yields a smaller diff that 
    doesn't clash with git-buildpackage... already had autotools-dev build dep!
  * script debian/tarman contributed by Marcus Watts now used to create tar.1
    by processing usage text in source code!  Partial fix for #473328.
    closes: #515578, #429776, #411707, 

 -- Ubuntu Archive Auto-Sync <email address hidden>   Wed,  29 Apr 2009 12:13:22 +0100

Available diffs

• diff from 1.20-1 to 1.22-1 (962.5 KiB)

tar (1.18-2ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: stack-based buffer overflow with malicious tar files
    - lib/paxnames.c: updated src/names.c to rewrite hash_string_prefix as
      hash_string_insert_prefix and adjust safer_name_suffix to use
      hash_string_insert_prefix to avoid stack allocation
    - patch from upstream paxlib commits:
      http://git.savannah.gnu.org/gitweb/?p=paxutils.git;a=commitdiff;h=b9199bbdefd32382953dd8c01ec881e5463c5a88
      http://git.savannah.gnu.org/gitweb/?p=paxutils.git;a=commitdiff;h=64379227940699a92113e3fd7c583e705a1f849b
    - CVE-2007-4476
    - LP: #180299

 -- Jamie Strandboge <email address hidden>   Wed, 14 Jan 2009 11:06:24 -0600

Available diffs

• diff from 1.18-2ubuntu1 (in Ubuntu) to 1.18-2ubuntu1.1 (1.3 KiB)

tar (1.15.1-2ubuntu2.3) dapper-security; urgency=low

  * SECURITY UPDATE: stack-based buffer overflow with malicious tar files
    - src/names.c: updated src/names.c to rewrite hash_string_prefix as
      hash_string_insert_prefix and adjust safer_name_suffix to use
      hash_string_insert_prefix to avoid stack allocation
    - patch from upstream paxlib commits:
      http://git.savannah.gnu.org/gitweb/?p=paxutils.git;a=commitdiff;h=b9199bbdefd32382953dd8c01ec881e5463c5a88
      http://git.savannah.gnu.org/gitweb/?p=paxutils.git;a=commitdiff;h=64379227940699a92113e3fd7c583e705a1f849b
    - CVE-2007-4476
    - LP: #180299
  * adjust tests/pipe.at pipe the output from `tar xfv' through sort and
    regenerate tests/testsuite with autom4ke to get tests working again (how
    did it ever successfully build before?)

 -- Jamie Strandboge <email address hidden>   Wed, 14 Jan 2009 09:10:49 -0600

Available diffs

• diff from 1.15.1-2ubuntu2 (in Ubuntu) to 1.15.1-2ubuntu2.3 (2.7 KiB)

tar (1.20-1) unstable; urgency=low

  * new upstream version

 -- Ubuntu Archive Auto-Sync <email address hidden>   Fri,  02 May 2008 02:27:03 +0100

tar (1.19-3) unstable; urgency=low

  * upstream patch to remove error message when updating a non-existing archive
  * patch from Phil Hands for man page prevents URL splitting, closes: #463215

tar (1.19-1ubuntu2) hardy; urgency=low

  * Added 01-update-flag.dpatch:
    - Closes KDE Bug #151708
  * Fixed debian/rules and debian/control for dpatch

 -- Anthony Mercatante <tonio@kubuntu>   Fri, 04 Jan 2008 15:05:07 +0100

tar (1.19-1ubuntu1) hardy; urgency=low

  * Merge from debian unstable, remaining changes:
    - Set Ubuntu maintainer address.
    - Fix build failures with gcc-4.3 in lib/argp{-fmstream}.h

tar (1.18-2ubuntu1) gutsy; urgency=low

  * Build with -fgnu89-inline, fixes build failure with gcc-4.3. LP: 138674.
  * Set Ubuntu maintainer address.

 -- Matthias Klose <email address hidden>   Wed, 12 Sep 2007 19:58:51 +0000

tar (1.18-2build1) gutsy; urgency=low

  * Fake-sync because of a different orig.tar.gz.

tar (1.16-2ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: directory traversal with malicious tar files.
  * src/names.c: adjust dot dot checking, patched inline.
  * References
    CVE-2007-4131

 -- Kees Cook <email address hidden>   Tue, 28 Aug 2007 09:45:12 -0700

tar (1.15.91-2ubuntu0.4) edgy-security; urgency=low

  * SECURITY UPDATE: directory traversal with malicious tar files.
  * src/names.c: adjust dot dot checking, patched inline.
  * References
    CVE-2007-4131

 -- Kees Cook <email address hidden>   Tue, 28 Aug 2007 09:45:12 -0700

tar (1.15.1-2ubuntu2.2) dapper-security; urgency=low

  * SECURITY UPDATE: directory traversal with malicious tar files.
  * src/names.c: adjust dot dot checking, patched inline.
  * References
    CVE-2007-4131

 -- Kees Cook <email address hidden>   Tue, 28 Aug 2007 09:45:12 -0700

tar (1.18-1build1) gutsy; urgency=low

  * Pseudo sync, not matching .orig.tar.gz.

 -- Matthias Klose <email address hidden>   Mon, 13 Aug 2007 13:15:44 +0200

tar (1.18-0ubuntu1) gutsy; urgency=low

  * New upstream version.
    - Fixes build failure with glibc-2.6. Closes: #434015.

 -- Matthias Klose <email address hidden>   Wed, 01 Aug 2007 15:30:14 +0200

tar (1.16.1-1ubuntu1) gutsy; urgency=low

  * Globally rename futimens to tar_futimens, so it doesn't clash with
    the new glibc-2.6 symbol of the same name, causing build failures.

 -- Adam Conrad <email address hidden>   Mon, 30 Jul 2007 18:12:57 +1000

tar (1.16.1-1) unstable; urgency=low

  * new upstream version, closes: #402179
  * updated Russian translation from Yuriy Talakan, closes: #411613

 -- Ubuntu Archive Auto-Sync <email address hidden>   Fri,  27 Apr 2007 13:18:48 +0100

tar (1.16-2) unstable; urgency=high

  * patch from Kees Cook via upstream to disable handling of GNUTYPE_NAMES 
    by default and add a new command-line switch --allow-name-mangling to 
    re-enable it, as a fix for directory traversal bug (CVE-2006-6097), 
    closes: #399845

 -- Kees Cook <email address hidden>   Mon,  18 Dec 2006 12:17:30 +0000

tar (1.16-1ubuntu1) feisty; urgency=low

  * SECURITY UPDATE: files can be overwritten/renamed in any writable location
    in the filesystem via GNUTYPE_NAMES type.
  * src/extract.c: disable GNUTYPE_NAMES type processing by default since it
    allows for immediate symlink creation and renames.
  * src/common.h, src/tar.c: add --allow-name-mangling option to restore
    default behavior.
  * References
    http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html

 -- Kees Cook <email address hidden>   Wed, 22 Nov 2006 19:46:54 -0800

tar (1.15.91-2ubuntu0.3) edgy-security; urgency=low

  * SECURITY UPDATE: files can be overwritten/renamed in any writable location
    in the filesystem via GNUTYPE_NAMES type.
  * src/extract.c: disable GNUTYPE_NAMES type processing by default since it
    allows for immediate symlink creation and renames.
  * src/common.h, src/tar.c: add --allow-name-mangling option to restore
    default behavior.
  * debian/rules: lowered optimization level on i386 for testcase #29.
  * References
    http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html
    CVE-2006-6097

 -- Kees Cook <email address hidden>   Fri, 24 Nov 2006 12:48:25 -0800

tar (1.15.1-2ubuntu2.1) dapper-security; urgency=low

  * SECURITY UPDATE: files can be overwritten/renamed in any writable location
    in the filesystem via GNUTYPE_NAMES type.
  * src/extract.c: disable GNUTYPE_NAMES type processing by default since it
    allows for immediate symlink creation and renames.
  * src/common.h, src/tar.c: add --allow-name-mangling option to restore
    default behavior.
  * References
    http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html

 -- Kees Cook <email address hidden>   Wed, 22 Nov 2006 20:21:52 -0800

tar (1.15.1-2ubuntu0.2) breezy-security; urgency=low

  * SECURITY UPDATE: files can be overwritten/renamed in any writable location
    in the filesystem via GNUTYPE_NAMES type.
  * src/extract.c: disable GNUTYPE_NAMES type processing by default since it
    allows for immediate symlink creation and renames.
  * src/common.h, src/tar.c: add --allow-name-mangling option to restore
    default behavior.
  * References
    http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html

 -- Kees Cook <email address hidden>   Wed, 22 Nov 2006 20:15:02 -0800

tar (1.16-1) unstable; urgency=medium

  * new upstream version, closes: #376816, #363943, #377124, #377330
  * fix for buffer overflow in test suite, closes: #377557
  * force a clean in the tests directory before running the test suite, seems
    to work around test suite repeatability problems, closes: #377330, #379393
  * accept patch from Raphael Bossek to zero nanoseconds, closes: #329843
  * update man page to reflect change in -l definition and other misc changes
    to options since man page was last updated, 
    closes: #384508, #391718, 361932, #315506
  * stop delivering upstream README, closes: #323232

 -- Ubuntu Archive Auto-Sync <email address hidden>   Wed,  08 Nov 2006 19:47:13 +0000

tar (1.15.91-2) unstable; urgency=low

  * add a NEWS.Debian file that communicates the change in wildcard processing
  * re-institute the patch for filenames that are exactly 100 characters in 
    length originally reported in #230910, closes: #376909

 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  10 Jul 2006 12:36:49 +0100

tar (1.15.91-1) unstable; urgency=low

  * new upstream version, retrieved from alpha.gnu.org
  * update date in tar.1, closes: #367290
  * support rollbacks in maintainer scripts, drop removal of info since this
    package no longer delivers an info doc, closes: #374461

tar (1.15.1-2ubuntu2) dapper; urgency=low

  * Do not mess with directory permissions when extracting
    without -p.  Malone 19540.

 -- Ian Jackson <email address hidden>   Wed,  5 Apr 2006 17:25:15 +0100

tar (1.15.1-2ubuntu0.1) breezy-security; urgency=low

  * SECURITY UPDATE: Arbitrary code execution with crafted tar files.
  * src/xheader.c:
    - Add a new function decode_num() which wraps xstrtoumax() and adds
      boundary and sanity checking.
    - Use decode_num() instead of xstrtoumax() in the code to avoid buffer
      overflows on excessively large field values like GNU.sparse.numblocks.
    - Patch taken from upstream CVS.
  * CVE-2006-0300

 -- Martin Pitt <email address hidden>   Thu, 23 Feb 2006 11:25:52 +0100

tar (1.14-2ubuntu0.1) hoary-security; urgency=low

  * SECURITY UPDATE: Arbitrary code execution with crafted tar files.
  * src/xheader.c:
    - Add a new function decode_num() which wraps xstrtoumax() and adds
      boundary and sanity checking.
    - Use decode_num() instead of xstrtoumax() in the code to avoid buffer
      overflows on excessively large field values like GNU.sparse.numblocks.
    - Patch taken from upstream CVS.
  * CVE-2006-0300

 -- Martin Pitt <email address hidden>   Thu, 23 Feb 2006 10:27:25 +0000

tar (1.15.1-2ubuntu1) dapper; urgency=low

  * SECURITY UPDATE: Arbitrary code execution with crafted tar files.
  * src/xheader.c:
    - Add a new function decode_num() which wraps xstrtoumax() and adds
      boundary and sanity checking.
    - Use decode_num() instead of xstrtoumax() in the code to avoid buffer
      overflows on excessively large field values like GNU.sparse.numblocks.
    - Patch taken from upstream CVS.
  * CVE-2006-0300

 -- Martin Pitt <email address hidden>   Thu, 23 Feb 2006 11:07:05 +0100

tar (1.15.1-2) unstable; urgency=low


  * patch from LaMont to fix gcc-4.0 error in the test suite, 
    closes: #308815, #310830
  * patch for de.po from Jens Seidel, closes: #313900
  * fix amanda upstream URL in the info pages, closes: #310158
  * patch from NIIBE Yutaka to support cross builds, closes: #283723

 -- Bdale Garbee <email address hidden>  Tue, 14 Jun 2005 23:42:40 -0600

tar (1.14-2) unstable; urgency=low


  * patch from Paul Eggert that does a better job of eliminating the 
    dependency on (buggy) valloc, closes: #234422, #248897
  * patch for typo in upstream po/de.po, closes: #154511
  * switch from dh_installmanpages to dh_installman

 -- Bdale Garbee <email address hidden>  Tue,  3 Aug 2004 08:22:17 -0600

tar (1.13.93-4) unstable; urgency=high


  * patch to stop issuing lone zero block warnings, closes: #235820
  * patch to clean up hyphenation in man page, closes: #185670
  * clean up manpage discussion of exclude and exclude-from, closes: #146196
  * turn on regression tests in the build process

 -- Bdale Garbee <email address hidden>  Sat, 24 Apr 2004 15:38:32 -0600