On Sun, 15 Mar 2009 12:22:37 +0100, Luk Claes wrote:
> >>> This is Debian bug #449544.
[..]
> >>> However it would be nice if this could get fixed via a regular point update[1].
> >> Nico brought this point to our (pkg-perl's) attention - After some
> >> discussion in the pkg-perl IRC channel, we found that the intermediate
> >> releases between the version shipped in Etch (1.30) and the one where
> >> this bug was fixed (1.38) were all reliability-related [1], and appear
> >> to be not too broad. So, even if we could just pick up the required
> >> changeset to make a specific 1.30-2+etch1 upload, it would be better
> >> just to upload 1.38 to Etch instead - Please tell us what to do.
> > Looking at the changelog it looks indeed like it would be a
> > good idea to ship 1.38. Would that be a problem for the
> > release team?
> It depends on the diff.
Oops, it seems that nobody has picked up that question yet, sorry for
that.
I'm attaching the diff between 1.30-2 (in oldstable) and 1.38-2 (the
last version in the archive that got removed later). The diff is
created by
svn diff svn+ssh://svn.debian.org/svn/pkg-perl/attic/libarchive-tar-perl/tags/1.30-2 svn+ssh://svn.debian.org/svn/pkg-perl/attic/libarchive-tar-perl/tags/1.38-2
Cheers,
gregor
--
.''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
`- NP: Pink Floyd: In The Flesh
Index: debian/control
===================================================================
--- debian/control (.../1.30-2) (revision 32619)
+++ debian/control (.../1.38-2) (revision 32619)
@@ -2,24 +2,23 @@
Section: perl
Priority: optional
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
-Uploaders: gregor herrmann <gregor+debian@comodo.priv.at>, Alexis Sukrieh <sukria@debian.org>
-XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-perl/packages/libarchive-tar-perl/trunk/
-Standards-Version: 3.7.2
+Uploaders: gregor herrmann <gregor+debian@comodo.priv.at>,
+ Alexis Sukrieh <sukria@debian.org>, Gunnar Wolf <gwolf@debian.org>,
+ Rene Mayorga <rmayorga@debian.org.sv>, Damyan Ivanov <dmn@debian.org>,
+ Russ Allbery <rra@debian.org>
+Standards-Version: 3.7.3
+Homepage: http://search.cpan.org/dist/Archive-Tar/
+Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libarchive-tar-perl/
+Vcs-Browser: http://svn.debian.org/wsvn/pkg-perl/trunk/libarchive-tar-perl/
Build-Depends: debhelper (>= 5)
-Build-Depends-Indep: perl (>> 5.8.1)
+Build-Depends-Indep: perl (>> 5.8.1), libtest-pod-perl, libio-zlib-perl
Package: libarchive-tar-perl
Architecture: all
Depends: ${perl:Depends}, libio-zlib-perl
-Suggests: libio-string-perl
-Description: Archive::Tar - manipulate tar files in perl
- Archive::Tar allows you to create, read, write, extract & update tar
- files using native perl code (no system('tar -xf')). It supports
- both compressed & uncompressed tarfiles as well as most of the GNU
+Suggests: libio-string-perl, libtext-diff-perl
+Description: manipulate tar files in Perl
+ Archive::Tar allows you to create, read, write, extract, and update tar
+ files using native Perl code (no system('tar -xf')). It supports
+ both compressed and uncompressed tarfiles as well as most of the GNU
extensions to the standard tar structure.
- .
- Archive::Tar provides an object oriented mechanism for handling tar
- files. It provides class methods for quick and easy files handling
- while also allowing for the creation of tar file objects for custom
- manipulation. If you have the Compress::Zlib module installed,
- Archive::Tar will also support compressed or gzipped tar files.
Index: debian/watch
===================================================================
--- debian/watch (.../1.30-2) (revision 32619)
+++ debian/watch (.../1.38-2) (revision 32619)
@@ -1,2 +1,2 @@
-version=2
-http://search.cpan.org/CPAN/authors/id/K/KA/KANE/Archive-Tar-([\d\.]*)\.tar\.gz
+version=3
+http://search.cpan.org/dist/Archive-Tar/ .*/Archive-Tar-v?(\d[\d_.]+)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip)
Index: debian/changelog
===================================================================
--- debian/changelog (.../1.30-2) (revision 32619)
+++ debian/changelog (.../1.38-2) (revision 32619)
@@ -1,3 +1,91 @@
+libarchive-tar-perl (1.38-2) unstable; urgency=low
+
+ [ gregor herrmann ]
+ * debian/rules: delete /usr/lib/perl5 only if it exists.
+ (Closes: #467663)
+
+ [ Russ Allbery ]
+ * debian/rules cleanup:
+ - Restructure to match a typical debian/rules for the group.
+ - Add build-arch and build-indep targets.
+ - Call install instead of pure_install to match normal practice.
+ * debian/control: remove the module name from the short description
+ and remove the redundant and inaccurate second paragraph of the long
+ description.
+
+ -- Russ Allbery <rra@debian.org> Mon, 03 Mar 2008 23:52:55 -0800
+
+libarchive-tar-perl (1.38-1) unstable; urgency=high
+
+ * New upstream release:
+ - fixes security bug "directory traversal vulnerability" - CVE-2007-4829
+ (closes: #449544)
+ - urgency set to high because of the security fix
+ - add NEWS.Debian that documents the changed behaviour
+ * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser
+ field (source stanza); Homepage field (source stanza). Removed:
+ Homepage pseudo-field (Description); XS-Vcs-Svn fields.
+ * Set Standards-Version to 3.7.3 (no changes required).
+ * Add libtext-diff-perl to Suggests:.
+ * debian/watch: use dist-based URL.
+ * debian/rules: use dh_listpackages to get package name.
+
+ -- gregor herrmann <gregor+debian@comodo.priv.at> Wed, 26 Dec 2007 00:32:24 +0100
+
+libarchive-tar-perl (1.36-1) unstable; urgency=low
+
+ * New upstream release
+ * debian/changelog
+ + Upstream copyright info update
+ + Upstream URL added
+ * debian/control
+ + Homepage field added
+
+ -- Rene Mayorga <rmayorga@debian.org.sv> Sun, 16 Sep 2007 21:38:11 -0600
+
+libarchive-tar-perl (1.34-1) unstable; urgency=low
+
+ [ Rene Mayorga ]
+ * New upstream release
+
+ [ Damyan Ivanov ]
+ * debian/copyright: note that DPG is the current maintainer
+ * Drop LD_* option from $(MAKE)
+ * Add $(MAKE) test
+ + Added libtest-pod-perl and libio-zlib-perl to Build-Depends-Indep to run
+ as much tests as possible
+ * Drop unneeded dh_installdirs
+ * Added myself to Uploaders: (and wrapped it)
+
+ -- Damyan Ivanov <dmn@debian.org> Fri, 17 Aug 2007 11:43:23 +0300
+
+libarchive-tar-perl (1.32-1) unstable; urgency=low
+
+ * [Rene Mayorga]
+ New upstream release
+
+ * [Damyan Ivanov]
+ Drop dpatch, it is unused (rules, control, patches)
+ Remove other cruft from debian/rules
+
+ -- Rene Mayorga <rmayorga@debian.org.sv> Tue, 03 Jul 2007 16:56:17 -0600
+
+libarchive-tar-perl (1.31-1) unstable; urgency=low
+
+ * New upstream release
+ * Removed debian/patches/10_dont_warn_when_only_checking.dpatch as it
+ was integrated upstream
+
+ -- Gunnar Wolf <gwolf@debian.org> Fri, 18 May 2007 16:35:09 -0500
+
+libarchive-tar-perl (1.30-3) unstable; urgency=low
+
+ * No longer sends out warnings when checking whether a file exists
+ inside an archive (Closes: #318497)
+ * Added dpatch framework (and, of course, build-dependency)
+
+ -- Gunnar Wolf <gwolf@debian.org> Mon, 14 May 2007 10:48:59 -0500
+
libarchive-tar-perl (1.30-2) unstable; urgency=low
[ gregor herrmann ]
Index: debian/copyright
===================================================================
--- debian/copyright (.../1.30-2) (revision 32619)
+++ debian/copyright (.../1.38-2) (revision 32619)
@@ -7,16 +7,20 @@
from the Comprehensive Perl Archive Network (CPAN). Visit
<URL:http://www.perl.com/CPAN/> to find a CPAN site near you.
+You can find the original sources at: http://search.cpan.org/dist/Archive-Tar/
+
The only change for the Debian package was the addition of the debian/
files. It was maintained by Stephen Zander <gibreel@pobox.com> until
-10 Oct 2004 and is now maintained by Matthias Klose <doko@debian.org>.
+10 Oct 2004, by Matthias Klose <doko@debian.org> until Nov 2006 and since then,
+by the Debian Perl Group <debian-perl@lists.debian.org>
+
The Archive::Tar copright is as follows:
Archive::Tar is Copyright 1997 Calle Dybedahl. All rights reserved.
Copyright 1998 Stephen Zander. All rights reserved.
- Copyright 2002 Jos Boumans. All rights reserved.
+ Copyright 2002 - 2007 Jos Boumans. All rights reserved.
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.
Index: debian/rules
===================================================================
--- debian/rules (.../1.30-2) (revision 32619)
+++ debian/rules (.../1.38-2) (revision 32619)
@@ -2,56 +2,50 @@
# -*-makefile-*-
# debian/rules file for libarchive-tar-perl
-PERL ?= /usr/bin/perl
+PACKAGE = $(shell dh_listpackages)
+TMP = $(CURDIR)/debian/$(PACKAGE)
+PERL ?= /usr/bin/perl
-package := $(shell sed -ne 's/^Package: *//p' debian/control)
-prefix := $(CURDIR)/debian/$(package)/usr
-
-version := $(shell dpkg-parsechangelog | \
- sed -ne 's/Version: *\([0-9]\+:\)*//p')
-
-tag:
- cvs tag -c -F $(subst .,_,debian_version_$(version))
-ifeq ($(findstring -,$(version)),)
- cvs tag -c -F $(subst .,_,upstream_version_$(version))
-endif
-
-build: build-stamp
+build: build-arch build-indep
+build-arch:
+build-indep: build-stamp
build-stamp:
dh_testdir
- $(PERL) Makefile.PL INSTALLDIRS=vendor PERL=$(PERL)
- $(MAKE) LD_RUN_PATH=
+ $(PERL) Makefile.PL INSTALLDIRS=vendor
+ $(MAKE)
+ $(MAKE) test
touch $@
-clean: checkroot
- rm -f build-stamp
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp install-stamp
[ ! -f Makefile ] || $(MAKE) distclean
dh_clean
-binary-indep: checkroot build
+install: install-stamp
+install-stamp: build-stamp
+ dh_testdir
+ dh_testroot
dh_clean
- dh_installdirs
+ $(MAKE) install DESTDIR=$(TMP) PREFIX=/usr
+ [ ! -d $(TMP)/usr/lib/perl5 ] || rmdir --ignore-fail-on-non-empty --parents --verbose $(TMP)/usr/lib/perl5
+ touch $@
- $(MAKE) pure_install PREFIX=$(prefix)
- rmdir --parents --ignore-fail-on-non-empty $(prefix)/lib/perl5
-
+binary: binary-arch binary-indep
+binary-arch:
+binary-indep: build-stamp install-stamp
+ dh_testdir
+ dh_testroot
dh_installdocs README
dh_installchangelogs CHANGES
-
+ dh_perl
dh_compress
dh_fixperms
- dh_perl
dh_installdeb
dh_gencontrol
dh_md5sums
dh_builddeb
-binary-arch: checkroot build
-
-binary: binary-indep binary-arch
-
-checkroot:
- dh_testdir
- dh_testroot
-
-.PHONY: binary binary-arch binary-indep clean checkroot build
+.PHONY: binary binary-arch binary-indep build build-arch build-indep clean
+.PHONY: install
Index: debian/NEWS
===================================================================
--- debian/NEWS (.../1.30-2) (revision 0)
+++ debian/NEWS (.../1.38-2) (revision 32619)
@@ -0,0 +1,23 @@
+libarchive-tar-perl (1.38-1) unstable; urgency=high
+
+ libarchive-tar-perl before 1.38 had a security vulnerability regarding
+ directory traversal [0]. This bug is fixed in 1.38 resulting in a changed
+ (and backward incompatible) behaviour. From the upstream changelog:
+
+ ~~~~~
+
+ _ Address #30380: directory traversal vulnerability in Archive-Tar
+ - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing
+ archives to extract files outside of cwd(). This is a backwards
+ incompatible change from 1.36 and before.
+ - Add a -I option to ptar to enable insecure extraction if needed
+
+ ~~~~~
+
+ [0]
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449544
+ https://rt.cpan.org/Public/Bug/Display.html?id=30380
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4829
+
+
+ -- gregor herrmann <gregor+debian@comodo.priv.at> Wed, 26 Dec 2007 00:13:50 +0100
Property changes on: debian
___________________________________________________________________
Added: svn-bp:tagsUrl
+ svn+ssh://svn.debian.org/svn/pkg-perl/tags/libarchive-tar-perl
Added: svn-bp:TrunkUrl
+ svn+ssh://svn.debian.org/svn/pkg-perl/trunk/libarchive-tar-perl
Added: svn-bp:upsTagUrl
+ svn+ssh://svn.debian.org/svn/pkg-perl/branches/upstream/libarchive-tar-perl
Added: svn-bp:upsCurrentUrl
+ svn+ssh://svn.debian.org/svn/pkg-perl/branches/upstream/libarchive-tar-perl/current
Index: t/00_setup.t
===================================================================
--- t/00_setup.t (.../1.30-2) (revision 32619)
+++ t/00_setup.t (.../1.38-2) (revision 32619)
@@ -1,699 +0,0 @@
-BEGIN {
- if( $ENV{PERL_CORE} ) {
- chdir '../lib/Archive/Tar' if -d '../lib/Archive/Tar';
- }
- use lib '../../..';
-}
-
-BEGIN { chdir 't' if -d 't' }
-
-use lib '../lib';
-use File::Spec ();
-
-
-mkdir 'src' unless -d 'src';
-
-for my $d ( map { File::Spec->catdir( 'src', $_ ) } qw(short long) ) {
- -d $d or mkdir $d;
- my $file = File::Spec->catfile($d,'b');
- open F, '>', $file or die "Can't create $file: $!\n";
- print F "bbbbbbbbbbb\n";
- close F;
-}
-
-sub output {
- my $file = shift;
- open F, '>', $file or die "Can't create $file: $!\n";
- binmode F;
- for (@_) {
- print F pack "H*", $_;
- }
- close F;
-}
-
-output( File::Spec->catfile( qw[src long bar.tar] ), qw(
-6300000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030313030363434003030303037363500303030303032340030303030
-3030303030313500303736353133313236323500303130303330002030000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6969696969696969696969690a00000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6400000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030313030363434003030303037363500303030303032340030303030
-3030303030313100303736353133313236323500303130303235002030000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-75757575757575750a0000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6469726563746f72792f00000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030303430373535003030303037363500303030303032340030303030
-3030303030303000303736353133313034303200303131363635002035000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-2e2f2e2f404c6f6e674c696e6b00000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030303030303030003030303030303000303030303030300030303030
-303030303334330030303030303030303030300030313137303600204c000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-007573746172202000726f6f7400000000000000000000000000000000000000
-000000000000000000776865656c000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72
-65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c
-792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265
-616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c79
-2d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d726561
-6c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d
-7265616c6c792d7265616c6c792d6c6f6e672d6469726563746f72792d6e616d
-652f000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72
-65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c
-792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265
-616c6c0030303430373030003030303037363500303030303032340030303030
-3030303030303000303736343036313031313100303333313031002035000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-2e2f2e2f404c6f6e674c696e6b00000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030303030303030003030303030303000303030303030300030303030
-303030303335310030303030303030303030300030313137303500204c000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-007573746172202000726f6f7400000000000000000000000000000000000000
-000000000000000000776865656c000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72
-65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c
-792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265
-616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c79
-2d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d726561
-6c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d
-7265616c6c792d7265616c6c792d6c6f6e672d6469726563746f72792d6e616d
-652f6d7966696c65000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72
-65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c
-792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265
-616c6c0030313030363030003030303037363500303030303032340030303030
-3030303030303600303736343036313031313100303333303736002030000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-68656c6c6f0a0000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-));
-output( File::Spec->catfile( qw[src long foo.tgz] ), qw(
-1f8b0800000000000003edd74b6e8330100660af730a2e4098c10fb63d009740
-8949501c902851c4ed6bc8ab515abaf2b485f93616c9481e64fe91bc11e10102
-18a5047899d1e30ae9e57984fe37ff074a4c4daac77a09220282dec4e9bd2bda
-281287a2b65375beac2c291aa2557db2faed6618b92dc11e3fe71f5ff2ef17ce
-3f81d315677f99b6556b375dd3f649b83d0014645a7f9f7f805bfe7d65eaf38f
-c697453a5c4b0f0bcfff3a59276f7953eff2aa3e04dae37ec65faf20957cfe16
-10333022ca03f5f3e476fe6dd3745375e7bdb58ea2215a8ffcb7b670ae8ffff5
-e2fc871cdf5f29ae8ba30d38d7e680e0fc2ff3ff9af7e9f99f2a35dc05a54454
-3cff29fc89f9aff175fe6b9eff14e63fff8f7d59b9c9682f19c9fc1feeff93f3
-df0cf35f81411f7d1ce6bf7fe4fb3f85bd75aee1cb3f638c31c618638c31c6d8
-6c7d00dd7a588000280000
-));
-output( File::Spec->catfile( qw[src short bar.tar] ), qw(
-6300000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030313030363434003030303037363500303030303032340030303030
-3030303030313500303736353133313236323500303130303330002030000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6969696969696969696969690a00000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-6400000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000030313030363434003030303037363500303030303032340030303030
-3030303030313100303736353133313236323500303130303235002030000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0075737461722020006b616e6500000000000000000000000000000000000000
-0000000000000000007374616666000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-75757575757575750a0000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-0000000000000000000000000000000000000000000000000000000000000000
-));
-output( File::Spec->catfile( qw[src short foo.tgz] ), qw(
-1f8b0800000000000003edd3410ac2301085e159f71439c24cdaa6e7296a4184
-2eaabd7f87e84210ecaa23c2ff6d862403799b7792e3a9a996ae137543e9ebd4
-fc3c57e677fe60ade592fbbadfaa240dc826ebfd312e29c96d9c2fdff67c6d9a
-2202c5babe697e1d06e1ce017fecf7df3efaef83fe07585fe83e000000000000
-0000000000c07fda00d45b541f00280000
-));
-
-print "1..1\nok 1 - setup done\n";
Index: t/99_clean.t
===================================================================
--- t/99_clean.t (.../1.30-2) (revision 32619)
+++ t/99_clean.t (.../1.38-2) (revision 32619)
@@ -1,38 +0,0 @@
-#!perl
-BEGIN {
- if( $ENV{PERL_CORE} ) {
- chdir '../lib/Archive/Tar' if -d '../lib/Archive/Tar';
- }
- use lib '../../..';
-}
-
-BEGIN { chdir 't' if -d 't' }
-
-use lib '../lib';
-use File::Spec ();
-use Test::More 'no_plan';
-
-for my $d (qw(long short)) {
- for my $f (qw(b bar.tar foo.tgz)) {
-
- my $path = File::Spec->catfile('src', $d, $f);
- ok( -e $path, "File $path exists" );
-
- 1 while unlink $path;
-
- ok(!-e $path, " File deleted" );
- }
-
- my $dir = File::Spec->catdir('src', $d);
-
- ok( -d $dir, "Dir $dir exists" );
- 1 while rmdir $dir;
- ok(!-d $dir, " Dir deleted" );
-
-}
-
-{ my $dir = 'src';
- ok( -d $dir, "Dir $dir exists" );
- 1 while rmdir $dir;
- ok(!-d $dir, " Dir deleted" );
-}
Index: t/03_file.t
===================================================================
--- t/03_file.t (.../1.30-2) (revision 32619)
+++ t/03_file.t (.../1.38-2) (revision 32619)
@@ -20,6 +20,10 @@
[ 'x/bIn1', $all_chars ],
[ 'bIn2', $all_chars x 2 ],
[ 'bIn0', '' ],
+
+ ### we didnt handle 'false' filenames very well across A::T as of version
+ ### 1.32, as reported in #28687. Test for the handling of such files here.
+ [ 0, '', ],
### keep this one as the last entry
[ 'x/yy/z', '', { type => DIR,
Index: t/04_resolved_issues.t
===================================================================
--- t/04_resolved_issues.t (.../1.30-2) (revision 32619)
+++ t/04_resolved_issues.t (.../1.38-2) (revision 32619)
@@ -7,20 +7,25 @@
BEGIN { chdir 't' if -d 't' }
-use Test::More 'no_plan';
+use Test::More 'no_plan';
+use File::Basename 'basename';
use strict;
use lib '../lib';
my $NO_UNLINK = @ARGV ? 1 : 0;
my $Class = 'Archive::Tar';
+my $FileClass = $Class . '::File';
use_ok( $Class );
+use_ok( $FileClass );
### bug #13636
### tests for @longlink behaviour on files that have a / at the end
### of their shortened path, making them appear to be directories
-{ ### dont use the prefix, otherwise A::T will not use @longlink
+{ ok( 1, "Testing bug 13636" );
+
+ ### dont use the prefix, otherwise A::T will not use @longlink
### encoding style
local $Archive::Tar::DO_NOT_USE_PREFIX = 1;
local $Archive::Tar::DO_NOT_USE_PREFIX = 1;
@@ -33,25 +38,25 @@
### first create the file
{ my $tar = $Class->new;
- isa_ok( $tar, $Class );
+ isa_ok( $tar, $Class, " Object" );
ok( $tar->add_data( $dir.$file => $$ ),
- " Added long file" );
+ " Added long file" );
- ok( $tar->write($out), " File written to $out" );
+ ok( $tar->write($out), " File written to $out" );
}
### then read it back in
{ my $tar = $Class->new;
- isa_ok( $tar, $Class );
- ok( $tar->read( $out ), " Read in $out again" );
+ isa_ok( $tar, $Class, " Object" );
+ ok( $tar->read( $out ), " Read in $out again" );
my @files = $tar->get_files;
- is( scalar(@files), 1, " Only 1 entry found" );
+ is( scalar(@files), 1, " Only 1 entry found" );
my $entry = shift @files;
- ok( $entry->is_file, " Entry is a file" );
+ ok( $entry->is_file, " Entry is a file" );
is( $entry->name, $dir.$file,
- " With the proper name" );
+ " With the proper name" );
}
### remove the file
@@ -62,38 +67,88 @@
### There's a bug in Archive::Tar that causes a file like: foo/foo.txt
### to be stored in the tar file as: foo/.txt
### XXX could not be reproduced in 1.26 -- leave test to be sure
-{ my $dir = $$ . '/';
+{ ok( 1, "Testing bug 14922" );
+
+ my $dir = $$ . '/';
my $file = $$ . '.txt';
my $out = $$ . '.tar';
### first create the file
{ my $tar = $Class->new;
- isa_ok( $tar, $Class );
+ isa_ok( $tar, $Class, " Object" );
ok( $tar->add_data( $dir.$file => $$ ),
- " Added long file" );
+ " Added long file" );
- ok( $tar->write($out), " File written to $out" );
+ ok( $tar->write($out), " File written to $out" );
}
### then read it back in
{ my $tar = $Class->new;
- isa_ok( $tar, $Class );
- ok( $tar->read( $out ), " Read in $out again" );
+ isa_ok( $tar, $Class, " Object" );
+ ok( $tar->read( $out ), " Read in $out again" );
my @files = $tar->get_files;
- is( scalar(@files), 1, " Only 1 entry found" );
+ is( scalar(@files), 1, " Only 1 entry found" );
my $entry = shift @files;
- ok( $entry->is_file, " Entry is a file" );
+ ok( $entry->is_file, " Entry is a file" );
is( $entry->full_path, $dir.$file,
- " With the proper name" );
+ " With the proper name" );
}
### remove the file
unless( $NO_UNLINK ) { 1 while unlink $out }
}
+### bug #30380: directory traversal vulnerability in Archive-Tar
+### Archive::Tar allowed files to be extracted to a dir outside
+### it's cwd(), effectively allowing you to overwrite any files
+### on the system, given the right permissions.
+{ ok( 1, "Testing bug 30880" );
+
+ my $tar = $Class->new;
+ isa_ok( $tar, $Class, " Object" );
+ ### absolute paths are already taken care of. Only relative paths
+ ### matter
+ my $in_file = basename($0);
+ my $out_file = '../' . $in_file . ".$$";
+ ok( $tar->add_files( $in_file ),
+ " Added '$in_file'" );
+ ok( $tar->rename( $in_file, $out_file ),
+ " Renamed to '$out_file'" );
+ ### first, test with strict extract permissions on
+ { local $Archive::Tar::INSECURE_EXTRACT_MODE = 0;
+
+ ### we quell the error on STDERR
+ local $Archive::Tar::WARN = 0;
+ local $Archive::Tar::WARN = 0;
+
+ ok( 1, " Extracting in secure mode" );
+
+ ok( ! $tar->extract_file( $out_file ),
+ " File not extracted" );
+ ok( ! -e $out_file, " File '$out_file' does not exist" );
+
+ ok( $tar->error, " Error message stored" );
+ like( $tar->error, qr/attempting to leave/,
+ " Proper violation detected" );
+ }
+
+ ### now disable those
+ { local $Archive::Tar::INSECURE_EXTRACT_MODE = 1;
+ ok( 1, " Extracting in insecure mode" );
+
+ ok( $tar->extract_file( $out_file ),
+ " File extracted" );
+ ok( -e $out_file, " File '$out_file' exists" );
+
+ ### and clean up
+ unless( $NO_UNLINK ) { 1 while unlink $out_file };
+ }
+
+
+}
Index: t/02_methods.t
===================================================================
--- t/02_methods.t (.../1.30-2) (revision 32619)
+++ t/02_methods.t (.../1.38-2) (revision 32619)
@@ -65,8 +65,11 @@
&& length( cwd(). $LONG_FILE ) > 247;
### warn if we are going to skip long file names
-$TOO_LONG ? diag("No long filename support - long filename extraction disabled")
- : ( push @EXPECT_NORMAL, [ [], $LONG_FILE, qr/^hello\s*$/] ) ;
+if ($TOO_LONG) {
+ diag("No long filename support - long filename extraction disabled") if ! $ENV{PERL_CORE};
+} else {
+ push @EXPECT_NORMAL, [ [], $LONG_FILE, qr/^hello\s*$/];
+}
my @ROOT = grep { length } 'src', $TOO_LONG ? 'short' : 'long';
@@ -131,6 +134,18 @@
### check if ->error eq $error
is( $tar->error, $Archive::Tar::error,
'$error matches error() method' );
+
+ ### check that 'contains_file' doesn't warn about missing files.
+ { ### turn on warnings in general!
+ local $Archive::Tar::WARN = 1;
+
+ my $warnings = '';
+ local $SIG{__WARN__} = sub { $warnings .= "@_" };
+
+ my $rv = $tar->contains_file( $$ );
+ ok( !$rv, "Does not contain file '$$'" );
+ is( $warnings, '', " No warnings issued during lookup" );
+ }
}
### read tests ###
Index: t/src/long/b
===================================================================
--- t/src/long/b (.../1.30-2) (revision 0)
+++ t/src/long/b (.../1.38-2) (revision 32619)
@@ -0,0 +1 @@
+bbbbbbbbbbb
Index: t/src/long/foo.tgz
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes on: t/src/long/foo.tgz
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Index: t/src/long/bar.tar
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes on: t/src/long/bar.tar
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Index: t/src/short/b
===================================================================
--- t/src/short/b (.../1.30-2) (revision 0)
+++ t/src/short/b (.../1.38-2) (revision 32619)
@@ -0,0 +1 @@
+bbbbbbbbbbb
Index: t/src/short/foo.tgz
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes on: t/src/short/foo.tgz
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Index: t/src/short/bar.tar
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes on: t/src/short/bar.tar
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Index: MANIFEST
===================================================================
--- MANIFEST (.../1.30-2) (revision 32619)
+++ MANIFEST (.../1.38-2) (revision 32619)
@@ -7,11 +7,15 @@
Makefile.PL
MANIFEST This list of files
README
-t/00_setup.t
t/01_use.t
t/02_methods.t
t/03_file.t
t/04_resolved_issues.t
-t/99_clean.t
t/99_pod.t
+t/src/long/b
+t/src/long/bar.tar
+t/src/long/foo.tgz
+t/src/short/b
+t/src/short/bar.tar
+t/src/short/foo.tgz
META.yml Module meta-data (added by MakeMaker)
Index: META.yml
===================================================================
--- META.yml (.../1.30-2) (revision 32619)
+++ META.yml (.../1.38-2) (revision 32619)
@@ -1,7 +1,7 @@
# http://module-build.sourceforge.net/META-spec.html
#XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX#
name: Archive-Tar
-version: 1.30
+version: 1.38
version_from: lib/Archive/Tar.pm
installdirs: site
requires:
Index: lib/Archive/Tar.pm
===================================================================
--- lib/Archive/Tar.pm (.../1.30-2) (revision 32619)
+++ lib/Archive/Tar.pm (.../1.38-2) (revision 32619)
@@ -9,15 +9,18 @@
use strict;
use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD
- $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING];
+ $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING
+ $INSECURE_EXTRACT_MODE
+ ];
-$DEBUG = 0;
-$WARN = 1;
-$FOLLOW_SYMLINK = 0;
-$VERSION = "1.30";
-$CHOWN = 1;
-$CHMOD = 1;
-$DO_NOT_USE_PREFIX = 0;
+$DEBUG = 0;
+$WARN = 1;
+$FOLLOW_SYMLINK = 0;
+$VERSION = "1.38";
+$CHOWN = 1;
+$CHMOD = 1;
+$DO_NOT_USE_PREFIX = 0;
+$INSECURE_EXTRACT_MODE = 0;
BEGIN {
use Config;
@@ -303,7 +306,7 @@
if ( $entry->is_file && !$entry->validate ) {
### sometimes the chunk is rather fux0r3d and a whole 512
- ### bytes ends p in the ->name area.
+ ### bytes ends up in the ->name area.
### clean it up, if need be
my $name = $entry->name;
$name = substr($name, 0, 100) if length $name > 100;
@@ -328,7 +331,7 @@
}
### throw away trailing garbage ###
- substr ($$data, $entry->size) = "";
+ substr ($$data, $entry->size) = "" if defined $$data;
### part II of the @LongLink munging -- need to do /after/
### the checksum check.
@@ -406,8 +409,13 @@
sub contains_file {
my $self = shift;
- my $full = shift or return;
+ my $full = shift;
+
+ return unless defined $full;
+ ### don't warn if the entry isn't there.. that's what this function
+ ### is for after all.
+ local $WARN = 0;
return 1 if $self->_find_entry($full);
return;
}
@@ -491,7 +499,7 @@
=head2 $tar->extract_file( $file, [$extract_path] )
Write an entry, whose name is equivalent to the file name provided to
-disk. Optionally takes a second parameter, which is the full (unix)
+disk. Optionally takes a second parameter, which is the full native
path (including filename) the entry will be written to.
For example:
@@ -506,7 +514,7 @@
sub extract_file {
my $self = shift;
- my $file = shift or return;
+ my $file = shift; return unless defined $file;
my $alt = shift;
my $entry = $self->_find_entry( $file )
@@ -537,16 +545,68 @@
my $dir;
### is $name an absolute path? ###
if( File::Spec->file_name_is_absolute( $dirs ) ) {
+
+ ### absolute names are not allowed to be in tarballs under
+ ### strict mode, so only allow it if a user tells us to do it
+ if( not defined $alt and not $INSECURE_EXTRACT_MODE ) {
+ $self->_error(
+ q[Entry ']. $entry->full_path .q[' is an absolute path. ].
+ q[Not extracting absolute paths under SECURE EXTRACT MODE]
+ );
+ return;
+ }
+
+ ### user asked us to, it's fine.
$dir = $dirs;
### it's a relative path ###
} else {
my $cwd = (defined $self->{cwd} ? $self->{cwd} : cwd());
- my @dirs = File::Spec::Unix->splitdir( $dirs );
- my @cwd = File::Spec->splitdir( $cwd );
- $dir = File::Spec->catdir( @cwd, @dirs );
- # catdir() returns undef if the path is longer than 255 chars on VMS
+ my @dirs = defined $alt
+ ? File::Spec->splitdir( $dirs ) # It's a local-OS path
+ : File::Spec::Unix->splitdir( $dirs ); # it's UNIX-style, likely
+ # straight from the tarball
+
+ ### paths that leave the current directory are not allowed under
+ ### strict mode, so only allow it if a user tells us to do this.
+ if( not defined $alt and
+ not $INSECURE_EXTRACT_MODE and
+ grep { $_ eq '..' } @dirs
+ ) {
+ $self->_error(
+ q[Entry ']. $entry->full_path .q[' is attempting to leave the ].
+ q[current working directory. Not extracting under SECURE ].
+ q[EXTRACT MODE]
+ );
+ return;
+ }
+
+ ### '.' is the directory delimiter, of which the first one has to
+ ### be escaped/changed.
+ map tr/\./_/, @dirs if ON_VMS;
+
+ my ($cwd_vol,$cwd_dir,$cwd_file)
+ = File::Spec->splitpath( $cwd );
+ my @cwd = File::Spec->splitdir( $cwd_dir );
+ push @cwd, $cwd_file if length $cwd_file;
+
+ ### We need to pass '' as the last elemant to catpath. Craig Berry
+ ### explains why (msgid <p0624083dc311ae541393@[172.16.52.1]>):
+ ### The root problem is that splitpath on UNIX always returns the
+ ### final path element as a file even if it is a directory, and of
+ ### course there is no way it can know the difference without checking
+ ### against the filesystem, which it is documented as not doing. When
+ ### you turn around and call catpath, on VMS you have to know which bits
+ ### are directory bits and which bits are file bits. In this case we
+ ### know the result should be a directory. I had thought you could omit
+ ### the file argument to catpath in such a case, but apparently on UNIX
+ ### you can't.
+ $dir = File::Spec->catpath(
+ $cwd_vol, File::Spec->catdir( @cwd, @dirs ), ''
+ );
+
+ ### catdir() returns undef if the path is longer than 255 chars on VMS
unless ( defined $dir ) {
$^W && $self->_error( qq[Could not compose a path for '$dirs'\n] );
return;
@@ -565,6 +625,17 @@
$self->_error( qq[Could not create directory '$dir': $@] );
return;
}
+
+ ### XXX chown here? that might not be the same as in the archive
+ ### as we're only chown'ing to the owner of the file we're extracting
+ ### not to the owner of the directory itself, which may or may not
+ ### be another entry in the archive
+ ### Answer: no, gnu tar doesn't do it either, it'd be the wrong
+ ### way to go.
+ #if( $CHOWN && CAN_CHOWN ) {
+ # chown $entry->uid, $entry->gid, $dir or
+ # $self->_error( qq[Could not set uid/gid on '$dir'] );
+ #}
}
### we're done if we just needed to create a dir ###
@@ -1116,7 +1187,7 @@
my @rv;
for my $file ( @files ) {
- unless( -e $file ) {
+ unless( -e $file || -l $file ) {
$self->_error( qq[No such file: '$file'] );
next;
}
@@ -1511,6 +1582,23 @@
warn $tar->error unless $tar->extract;
+=head2 $Archive::Tar::INSECURE_EXTRACT_MODE
+
+This variable indicates whether C<Archive::Tar> should allow
+files to be extracted outside their current working directory.
+
+Allowing this could have security implications, as a malicious
+tar archive could alter or replace any file the extracting user
+has permissions to. Therefor, the default is to not allow
+insecure extractions.
+
+If you trust the archive, or have other reasons to allow the
+archive to write files outside your current working directory,
+set this variable to C<true>.
+
+Note that this is a backwards incompatible change from version
+C<1.36> and before.
+
=head2 $Archive::Tar::HAS_PERLIO
This variable holds a boolean indicating if we currently have
@@ -1595,6 +1683,10 @@
C<$Archive::Tar::DO_NOT_USE_PREFIX> variable to C<true>. See the
C<GLOBAL VARIABLES> section for details on this variable.
+Note that GNU tar earlier than version 1.14 does not cope well with
+the C<POSIX header prefix>. If you use such a version, consider setting
+the C<$Archive::Tar::DO_NOT_USE_PREFIX> variable to C<true>.
+
=item How do I extract only files that have property X from an archive?
Sometimes, you might not wish to extract a complete archive, just
@@ -1651,7 +1743,57 @@
$tar->write($fh);
$fh->close ;
+=item How do I handle Unicode strings?
+C<Archive::Tar> uses byte semantics for any files it reads from or writes
+to disk. This is not a problem if you only deal with files and never
+look at their content or work solely with byte strings. But if you use
+Unicode strings with character semantics, some additional steps need
+to be taken.
+
+For example, if you add a Unicode string like
+
+ # Problem
+ $tar->add_data('file.txt', "Euro: \x{20AC}");
+
+then there will be a problem later when the tarfile gets written out
+to disk via C<$tar->write()>:
+
+ Wide character in print at .../Archive/Tar.pm line 1014.
+
+The data was added as a Unicode string and when writing it out to disk,
+the C<:utf8> line discipline wasn't set by C<Archive::Tar>, so Perl
+tried to convert the string to ISO-8859 and failed. The written file
+now contains garbage.
+
+For this reason, Unicode strings need to be converted to UTF-8-encoded
+bytestrings before they are handed off to C<add_data()>:
+
+ use Encode;
+ my $data = "Accented character: \x{20AC}";
+ $data = encode('utf8', $data);
+
+ $tar->add_data('file.txt', $data);
+
+A opposite problem occurs if you extract a UTF8-encoded file from a
+tarball. Using C<get_content()> on the C<Archive::Tar::File> object
+will return its content as a bytestring, not as a Unicode string.
+
+If you want it to be a Unicode string (because you want character
+semantics with operations like regular expression matching), you need
+to decode the UTF8-encoded content and have Perl convert it into
+a Unicode string:
+
+ use Encode;
+ my $data = $tar->get_content();
+
+ # Make it a Unicode string
+ $data = decode('utf8', $data);
+
+There is no easy way to provide this functionality in C<Archive::Tar>,
+because a tarball can contain many files, and each of which could be
+encoded in a different way.
+
=back
=head1 TODO
@@ -1704,9 +1846,10 @@
=head1 AUTHOR
-This module by
-Jos Boumans E<lt>kane@cpan.orgE<gt>.
+This module by Jos Boumans E<lt>kane@cpan.orgE<gt>.
+Please reports bugs to E<lt>bug-archive-tar@rt.cpan.orgE<gt>.
+
=head1 ACKNOWLEDGEMENTS
Thanks to Sean Burke, Chris Nandor, Chip Salzenberg, Tim Heaney and
@@ -1714,12 +1857,10 @@
=head1 COPYRIGHT
-This module is
-copyright (c) 2002 Jos Boumans E<lt>kane@cpan.orgE<gt>.
-All rights reserved.
+This module is copyright (c) 2002 - 2007 Jos Boumans
+E<lt>kane@cpan.orgE<gt>. All rights reserved.
-This library is free software;
-you may redistribute and/or modify it under the same
-terms as Perl itself.
+This library is free software; you may redistribute and/or modify
+it under the same terms as Perl itself.
=cut
Index: lib/Archive/Tar/Constant.pm
===================================================================
--- lib/Archive/Tar/Constant.pm (.../1.30-2) (revision 32619)
+++ lib/Archive/Tar/Constant.pm (.../1.38-2) (revision 32619)
@@ -10,7 +10,7 @@
BLOCK_SIZE TAR_PAD TAR_END ON_UNIX BLOCK CAN_READLINK MAGIC
TAR_VERSION UNAME GNAME CAN_CHOWN MODE CHECK_SUM UID GID
GZIP_MAGIC_NUM MODE_READ LONGLINK LONGLINK_NAME PREFIX_LENGTH
- LABEL NAME_LENGTH STRIP_MODE
+ LABEL NAME_LENGTH STRIP_MODE ON_VMS
];
require Time::Local if $^O eq "MacOS";
@@ -43,8 +43,8 @@
# Pointless assignment to make -w shut up
my $getpwuid; $getpwuid = 'unknown' unless eval { my $f = getpwuid (0); };
my $getgrgid; $getgrgid = 'unknown' unless eval { my $f = getgrgid (0); };
-use constant UNAME => sub { $getpwuid || scalar getpwuid( shift() ) };
-use constant GNAME => sub { $getgrgid || scalar getgrgid( shift() ) };
+use constant UNAME => sub { $getpwuid || scalar getpwuid( shift() ) || '' };
+use constant GNAME => sub { $getgrgid || scalar getgrgid( shift() ) || '' };
use constant UID => $>;
use constant GID => (split ' ', $) )[0];
@@ -73,5 +73,6 @@
use constant CAN_CHOWN => do { ($> == 0 and $^O ne "MacOS" and $^O ne "MSWin32") };
use constant CAN_READLINK => ($^O ne 'MSWin32' and $^O !~ /RISC(?:[ _])?OS/i and $^O ne 'VMS');
use constant ON_UNIX => ($^O ne 'MSWin32' and $^O ne 'MacOS' and $^O ne 'VMS');
+use constant ON_VMS => $^O eq 'VMS';
1;
Index: lib/Archive/Tar/File.pm
===================================================================
--- lib/Archive/Tar/File.pm (.../1.30-2) (revision 32619)
+++ lib/Archive/Tar/File.pm (.../1.38-2) (revision 32619)
@@ -200,7 +200,7 @@
sub _new_from_chunk {
my $class = shift;
- my $chunk = shift or return;
+ my $chunk = shift or return; # 512 bytes of tar header
my %hash = @_;
### filter any arguments on defined-ness of values.
@@ -233,18 +233,34 @@
sub _new_from_file {
my $class = shift;
- my $path = shift or return;
+ my $path = shift;
+
+ ### path has to at least exist
+ return unless defined $path;
+
my $type = __PACKAGE__->_filetype($path);
my $data = '';
- unless ($type == DIR) {
- my $fh = IO::File->new;
- $fh->open($path) or return;
+ READ: {
+ unless ($type == DIR ) {
+ my $fh = IO::File->new;
+
+ unless( $fh->open($path) ) {
+ ### dangling symlinks are fine, stop reading but continue
+ ### creating the object
+ last READ if $type == SYMLINK;
+
+ ### otherwise, return from this function --
+ ### anything that's *not* a symlink should be
+ ### resolvable
+ return;
+ }
- ### binmode needed to read files properly on win32 ###
- binmode $fh;
- $data = do { local $/; <$fh> };
- close $fh;
+ ### binmode needed to read files properly on win32 ###
+ binmode $fh;
+ $data = do { local $/; <$fh> };
+ close $fh;
+ }
}
my @items = qw[mode uid gid size mtime];
@@ -292,7 +308,7 @@
sub _new_from_data {
my $class = shift;
- my $path = shift or return;
+ my $path = shift; return unless defined $path;
my $data = shift; return unless defined $data;
my $opt = shift;
@@ -359,7 +375,9 @@
sub _filetype {
my $self = shift;
- my $file = shift or return;
+ my $file = shift;
+
+ return unless defined $file;
return SYMLINK if (-l $file); # Symlink
@@ -503,7 +521,9 @@
sub rename {
my $self = shift;
- my $path = shift or return;
+ my $path = shift;
+
+ return unless defined $path;
my ($prefix,$file) = $self->_prefix_and_file( $path );
Index: CHANGES
===================================================================
--- CHANGES (.../1.30-2) (revision 32619)
+++ CHANGES (.../1.38-2) (revision 32619)
@@ -1,3 +1,49 @@
+* important changes in vesrion 1.38 14/12/2007:
+- Promote 1.37_01 to stable.
+
+* important changes in version 1.37_01 11/11/2007:
+_ Address #30380: directory traversal vulnerability in Archive-Tar
+ - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing
+ archives to extract files outside of cwd(). This is a backwards
+ incompatible change from 1.36 and before.
+ - Add a -I option to ptar to enable insecure extraction if needed
+
+* important changes in version 1.36 16/9/2007:
+- Portability fixes for VMS, as offered by Craig Berry.
+
+* important changes in version 1.34 15/8/2007:
+- Address #28687: Fwd: Unespected reaction of Archive::Tar
+ A::T didn't always handle filenames that evaluated to false
+ (like '0') gracefully. This patch adds a few 'or defined' check
+ to the A::T codebase and a test to ensure filenames like '0' are
+ handeled correctly.
+- Apply #28407: Unicode and Archive::Tar - documentation patch as
+ FAQ patch
+
+* important changes in version 1.32 25/7/2007:
+- Apply #28407: Unicode and Archive::Tar - documentation patch as
+ FAQ patch
+- Following a report from rgs that A::T 1.31 doesn't play nicely
+ with -Dmksymlinks under perl core, rewrite the symlink logic in
+ A::T::File->new to continue building an object when reading a
+ symlink fails, rather than refusing to read on a symlink (which
+ is obviously wrong)
+- Quell warnings when a gid is not resolvable to a group name
+
+* important changes in version 1.31 18/5/2007:
+- No longer use the t/setup.t and t/cleanup.t files but just bundle
+ the binary files; this was done for core integration, but the new
+ uupacktool.pl script means we dont have to do this anymore
+_ Apply core perl Change 30997 by rgs@stcosmo on 2007/04/20 15:03:57
+- Address: #27124: Unneeded warning sent when checking for file
+ inclusion contains_file() will no longer warn to STDERR when a file
+ is not contained in an archive and $WARN is set to 'true'.
+- Address #26492: Dangling symlinks not preserved: Archive::Tar used
+ to complain about dangling symlinks, unlike standard gnu tar, which
+ would add them silently. This patch brings A::T's behaviour in line
+ with gnu tar
+- Minor pod fixes
+
* important changes in version 1.30 8/2/2006:
- applied bleadperl patch: Subject: Change 27416:
Cleanup Archive-Tar temporary test files
Index: bin/ptar
===================================================================
--- bin/ptar (.../1.30-2) (revision 32619)
+++ bin/ptar (.../1.38-2) (revision 32619)
@@ -6,14 +6,17 @@
use File::Find;
my $opts = {};
-getopts('dcvzthxf:', $opts) or die usage();
+getopts('dcvzthxf:I', $opts) or die usage();
### show the help message ###
die usage() if $opts->{h};
### enable debugging (undocumented feature)
-local $Archive::Tar::DEBUG = 1 if $opts->{d};
+local $Archive::Tar::DEBUG = 1 if $opts->{d};
+### enable insecure extracting.
+local $Archive::Tar::INSECURE_EXTRACT_MODE = 1 if $opts->{I};
+
### sanity checks ###
unless ( 1 == grep { defined $opts->{$_} } qw[x t c] ) {
die "You need exactly one of 'x', 't' or 'c' options: " . usage();
@@ -24,6 +27,7 @@
my $file = $opts->{f} ? $opts->{f} : 'default.tar';
my $tar = Archive::Tar->new();
+
if( $opts->{c} ) {
my @files;
find( sub { push @files, $File::Find::name;
@@ -64,6 +68,8 @@
z Read/Write zlib compressed ARCHIVE_FILE (not always available)
v Print filenames as they are added or extraced from ARCHIVE_FILE
h Prints this help message
+ I Enable 'Insecure Extract Mode', which allows archives to extract
+ files outside the current working directory. (Not advised).
See Also:
tar(1)
Attachment:
signature.asc
Description: Digital signature