On Sun, 15 Mar 2009 12:22:37 +0100, Luk Claes wrote: > >>> This is Debian bug #449544. [..] > >>> However it would be nice if this could get fixed via a regular point update[1]. > >> Nico brought this point to our (pkg-perl's) attention - After some > >> discussion in the pkg-perl IRC channel, we found that the intermediate > >> releases between the version shipped in Etch (1.30) and the one where > >> this bug was fixed (1.38) were all reliability-related [1], and appear > >> to be not too broad. So, even if we could just pick up the required > >> changeset to make a specific 1.30-2+etch1 upload, it would be better > >> just to upload 1.38 to Etch instead - Please tell us what to do. > > Looking at the changelog it looks indeed like it would be a > > good idea to ship 1.38. Would that be a problem for the > > release team? > It depends on the diff. Oops, it seems that nobody has picked up that question yet, sorry for that. I'm attaching the diff between 1.30-2 (in oldstable) and 1.38-2 (the last version in the archive that got removed later). The diff is created by svn diff svn+ssh://svn.debian.org/svn/pkg-perl/attic/libarchive-tar-perl/tags/1.30-2 svn+ssh://svn.debian.org/svn/pkg-perl/attic/libarchive-tar-perl/tags/1.38-2 Cheers, gregor -- .''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/ `- NP: Pink Floyd: In The Flesh
Index: debian/control =================================================================== --- debian/control (.../1.30-2) (revision 32619) +++ debian/control (.../1.38-2) (revision 32619) @@ -2,24 +2,23 @@ Section: perl Priority: optional Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> -Uploaders: gregor herrmann <gregor+debian@comodo.priv.at>, Alexis Sukrieh <sukria@debian.org> -XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-perl/packages/libarchive-tar-perl/trunk/ -Standards-Version: 3.7.2 +Uploaders: gregor herrmann <gregor+debian@comodo.priv.at>, + Alexis Sukrieh <sukria@debian.org>, Gunnar Wolf <gwolf@debian.org>, + Rene Mayorga <rmayorga@debian.org.sv>, Damyan Ivanov <dmn@debian.org>, + Russ Allbery <rra@debian.org> +Standards-Version: 3.7.3 +Homepage: http://search.cpan.org/dist/Archive-Tar/ +Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libarchive-tar-perl/ +Vcs-Browser: http://svn.debian.org/wsvn/pkg-perl/trunk/libarchive-tar-perl/ Build-Depends: debhelper (>= 5) -Build-Depends-Indep: perl (>> 5.8.1) +Build-Depends-Indep: perl (>> 5.8.1), libtest-pod-perl, libio-zlib-perl Package: libarchive-tar-perl Architecture: all Depends: ${perl:Depends}, libio-zlib-perl -Suggests: libio-string-perl -Description: Archive::Tar - manipulate tar files in perl - Archive::Tar allows you to create, read, write, extract & update tar - files using native perl code (no system('tar -xf')). It supports - both compressed & uncompressed tarfiles as well as most of the GNU +Suggests: libio-string-perl, libtext-diff-perl +Description: manipulate tar files in Perl + Archive::Tar allows you to create, read, write, extract, and update tar + files using native Perl code (no system('tar -xf')). It supports + both compressed and uncompressed tarfiles as well as most of the GNU extensions to the standard tar structure. - . - Archive::Tar provides an object oriented mechanism for handling tar - files. It provides class methods for quick and easy files handling - while also allowing for the creation of tar file objects for custom - manipulation. If you have the Compress::Zlib module installed, - Archive::Tar will also support compressed or gzipped tar files. Index: debian/watch =================================================================== --- debian/watch (.../1.30-2) (revision 32619) +++ debian/watch (.../1.38-2) (revision 32619) @@ -1,2 +1,2 @@ -version=2 -http://search.cpan.org/CPAN/authors/id/K/KA/KANE/Archive-Tar-([\d\.]*)\.tar\.gz +version=3 +http://search.cpan.org/dist/Archive-Tar/ .*/Archive-Tar-v?(\d[\d_.]+)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip) Index: debian/changelog =================================================================== --- debian/changelog (.../1.30-2) (revision 32619) +++ debian/changelog (.../1.38-2) (revision 32619) @@ -1,3 +1,91 @@ +libarchive-tar-perl (1.38-2) unstable; urgency=low + + [ gregor herrmann ] + * debian/rules: delete /usr/lib/perl5 only if it exists. + (Closes: #467663) + + [ Russ Allbery ] + * debian/rules cleanup: + - Restructure to match a typical debian/rules for the group. + - Add build-arch and build-indep targets. + - Call install instead of pure_install to match normal practice. + * debian/control: remove the module name from the short description + and remove the redundant and inaccurate second paragraph of the long + description. + + -- Russ Allbery <rra@debian.org> Mon, 03 Mar 2008 23:52:55 -0800 + +libarchive-tar-perl (1.38-1) unstable; urgency=high + + * New upstream release: + - fixes security bug "directory traversal vulnerability" - CVE-2007-4829 + (closes: #449544) + - urgency set to high because of the security fix + - add NEWS.Debian that documents the changed behaviour + * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser + field (source stanza); Homepage field (source stanza). Removed: + Homepage pseudo-field (Description); XS-Vcs-Svn fields. + * Set Standards-Version to 3.7.3 (no changes required). + * Add libtext-diff-perl to Suggests:. + * debian/watch: use dist-based URL. + * debian/rules: use dh_listpackages to get package name. + + -- gregor herrmann <gregor+debian@comodo.priv.at> Wed, 26 Dec 2007 00:32:24 +0100 + +libarchive-tar-perl (1.36-1) unstable; urgency=low + + * New upstream release + * debian/changelog + + Upstream copyright info update + + Upstream URL added + * debian/control + + Homepage field added + + -- Rene Mayorga <rmayorga@debian.org.sv> Sun, 16 Sep 2007 21:38:11 -0600 + +libarchive-tar-perl (1.34-1) unstable; urgency=low + + [ Rene Mayorga ] + * New upstream release + + [ Damyan Ivanov ] + * debian/copyright: note that DPG is the current maintainer + * Drop LD_* option from $(MAKE) + * Add $(MAKE) test + + Added libtest-pod-perl and libio-zlib-perl to Build-Depends-Indep to run + as much tests as possible + * Drop unneeded dh_installdirs + * Added myself to Uploaders: (and wrapped it) + + -- Damyan Ivanov <dmn@debian.org> Fri, 17 Aug 2007 11:43:23 +0300 + +libarchive-tar-perl (1.32-1) unstable; urgency=low + + * [Rene Mayorga] + New upstream release + + * [Damyan Ivanov] + Drop dpatch, it is unused (rules, control, patches) + Remove other cruft from debian/rules + + -- Rene Mayorga <rmayorga@debian.org.sv> Tue, 03 Jul 2007 16:56:17 -0600 + +libarchive-tar-perl (1.31-1) unstable; urgency=low + + * New upstream release + * Removed debian/patches/10_dont_warn_when_only_checking.dpatch as it + was integrated upstream + + -- Gunnar Wolf <gwolf@debian.org> Fri, 18 May 2007 16:35:09 -0500 + +libarchive-tar-perl (1.30-3) unstable; urgency=low + + * No longer sends out warnings when checking whether a file exists + inside an archive (Closes: #318497) + * Added dpatch framework (and, of course, build-dependency) + + -- Gunnar Wolf <gwolf@debian.org> Mon, 14 May 2007 10:48:59 -0500 + libarchive-tar-perl (1.30-2) unstable; urgency=low [ gregor herrmann ] Index: debian/copyright =================================================================== --- debian/copyright (.../1.30-2) (revision 32619) +++ debian/copyright (.../1.38-2) (revision 32619) @@ -7,16 +7,20 @@ from the Comprehensive Perl Archive Network (CPAN). Visit <URL:http://www.perl.com/CPAN/> to find a CPAN site near you. +You can find the original sources at: http://search.cpan.org/dist/Archive-Tar/ + The only change for the Debian package was the addition of the debian/ files. It was maintained by Stephen Zander <gibreel@pobox.com> until -10 Oct 2004 and is now maintained by Matthias Klose <doko@debian.org>. +10 Oct 2004, by Matthias Klose <doko@debian.org> until Nov 2006 and since then, +by the Debian Perl Group <debian-perl@lists.debian.org> + The Archive::Tar copright is as follows: Archive::Tar is Copyright 1997 Calle Dybedahl. All rights reserved. Copyright 1998 Stephen Zander. All rights reserved. - Copyright 2002 Jos Boumans. All rights reserved. + Copyright 2002 - 2007 Jos Boumans. All rights reserved. This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. Index: debian/rules =================================================================== --- debian/rules (.../1.30-2) (revision 32619) +++ debian/rules (.../1.38-2) (revision 32619) @@ -2,56 +2,50 @@ # -*-makefile-*- # debian/rules file for libarchive-tar-perl -PERL ?= /usr/bin/perl +PACKAGE = $(shell dh_listpackages) +TMP = $(CURDIR)/debian/$(PACKAGE) +PERL ?= /usr/bin/perl -package := $(shell sed -ne 's/^Package: *//p' debian/control) -prefix := $(CURDIR)/debian/$(package)/usr - -version := $(shell dpkg-parsechangelog | \ - sed -ne 's/Version: *\([0-9]\+:\)*//p') - -tag: - cvs tag -c -F $(subst .,_,debian_version_$(version)) -ifeq ($(findstring -,$(version)),) - cvs tag -c -F $(subst .,_,upstream_version_$(version)) -endif - -build: build-stamp +build: build-arch build-indep +build-arch: +build-indep: build-stamp build-stamp: dh_testdir - $(PERL) Makefile.PL INSTALLDIRS=vendor PERL=$(PERL) - $(MAKE) LD_RUN_PATH= + $(PERL) Makefile.PL INSTALLDIRS=vendor + $(MAKE) + $(MAKE) test touch $@ -clean: checkroot - rm -f build-stamp +clean: + dh_testdir + dh_testroot + rm -f build-stamp install-stamp [ ! -f Makefile ] || $(MAKE) distclean dh_clean -binary-indep: checkroot build +install: install-stamp +install-stamp: build-stamp + dh_testdir + dh_testroot dh_clean - dh_installdirs + $(MAKE) install DESTDIR=$(TMP) PREFIX=/usr + [ ! -d $(TMP)/usr/lib/perl5 ] || rmdir --ignore-fail-on-non-empty --parents --verbose $(TMP)/usr/lib/perl5 + touch $@ - $(MAKE) pure_install PREFIX=$(prefix) - rmdir --parents --ignore-fail-on-non-empty $(prefix)/lib/perl5 - +binary: binary-arch binary-indep +binary-arch: +binary-indep: build-stamp install-stamp + dh_testdir + dh_testroot dh_installdocs README dh_installchangelogs CHANGES - + dh_perl dh_compress dh_fixperms - dh_perl dh_installdeb dh_gencontrol dh_md5sums dh_builddeb -binary-arch: checkroot build - -binary: binary-indep binary-arch - -checkroot: - dh_testdir - dh_testroot - -.PHONY: binary binary-arch binary-indep clean checkroot build +.PHONY: binary binary-arch binary-indep build build-arch build-indep clean +.PHONY: install Index: debian/NEWS =================================================================== --- debian/NEWS (.../1.30-2) (revision 0) +++ debian/NEWS (.../1.38-2) (revision 32619) @@ -0,0 +1,23 @@ +libarchive-tar-perl (1.38-1) unstable; urgency=high + + libarchive-tar-perl before 1.38 had a security vulnerability regarding + directory traversal [0]. This bug is fixed in 1.38 resulting in a changed + (and backward incompatible) behaviour. From the upstream changelog: + + ~~~~~ + + _ Address #30380: directory traversal vulnerability in Archive-Tar + - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing + archives to extract files outside of cwd(). This is a backwards + incompatible change from 1.36 and before. + - Add a -I option to ptar to enable insecure extraction if needed + + ~~~~~ + + [0] + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449544 + https://rt.cpan.org/Public/Bug/Display.html?id=30380 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4829 + + + -- gregor herrmann <gregor+debian@comodo.priv.at> Wed, 26 Dec 2007 00:13:50 +0100 Property changes on: debian ___________________________________________________________________ Added: svn-bp:tagsUrl + svn+ssh://svn.debian.org/svn/pkg-perl/tags/libarchive-tar-perl Added: svn-bp:TrunkUrl + svn+ssh://svn.debian.org/svn/pkg-perl/trunk/libarchive-tar-perl Added: svn-bp:upsTagUrl + svn+ssh://svn.debian.org/svn/pkg-perl/branches/upstream/libarchive-tar-perl Added: svn-bp:upsCurrentUrl + svn+ssh://svn.debian.org/svn/pkg-perl/branches/upstream/libarchive-tar-perl/current Index: t/00_setup.t =================================================================== --- t/00_setup.t (.../1.30-2) (revision 32619) +++ t/00_setup.t (.../1.38-2) (revision 32619) @@ -1,699 +0,0 @@ -BEGIN { - if( $ENV{PERL_CORE} ) { - chdir '../lib/Archive/Tar' if -d '../lib/Archive/Tar'; - } - use lib '../../..'; -} - -BEGIN { chdir 't' if -d 't' } - -use lib '../lib'; -use File::Spec (); - - -mkdir 'src' unless -d 'src'; - -for my $d ( map { File::Spec->catdir( 'src', $_ ) } qw(short long) ) { - -d $d or mkdir $d; - my $file = File::Spec->catfile($d,'b'); - open F, '>', $file or die "Can't create $file: $!\n"; - print F "bbbbbbbbbbb\n"; - close F; -} - -sub output { - my $file = shift; - open F, '>', $file or die "Can't create $file: $!\n"; - binmode F; - for (@_) { - print F pack "H*", $_; - } - close F; -} - -output( File::Spec->catfile( qw[src long bar.tar] ), qw( -6300000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030313030363434003030303037363500303030303032340030303030 -3030303030313500303736353133313236323500303130303330002030000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6969696969696969696969690a00000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6400000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030313030363434003030303037363500303030303032340030303030 -3030303030313100303736353133313236323500303130303235002030000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -75757575757575750a0000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6469726563746f72792f00000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030303430373535003030303037363500303030303032340030303030 -3030303030303000303736353133313034303200303131363635002035000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -2e2f2e2f404c6f6e674c696e6b00000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030303030303030003030303030303000303030303030300030303030 -303030303334330030303030303030303030300030313137303600204c000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -007573746172202000726f6f7400000000000000000000000000000000000000 -000000000000000000776865656c000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72 -65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c -792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265 -616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c79 -2d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d726561 -6c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d -7265616c6c792d7265616c6c792d6c6f6e672d6469726563746f72792d6e616d -652f000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72 -65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c -792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265 -616c6c0030303430373030003030303037363500303030303032340030303030 -3030303030303000303736343036313031313100303333313031002035000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -2e2f2e2f404c6f6e674c696e6b00000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030303030303030003030303030303000303030303030300030303030 -303030303335310030303030303030303030300030313137303500204c000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -007573746172202000726f6f7400000000000000000000000000000000000000 -000000000000000000776865656c000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72 -65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c -792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265 -616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c79 -2d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d726561 -6c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d -7265616c6c792d7265616c6c792d6c6f6e672d6469726563746f72792d6e616d -652f6d7966696c65000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6469726563746f72792f7265616c6c792d7265616c6c792d7265616c6c792d72 -65616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c -792d7265616c6c792d7265616c6c792d7265616c6c792d7265616c6c792d7265 -616c6c0030313030363030003030303037363500303030303032340030303030 -3030303030303600303736343036313031313100303333303736002030000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -68656c6c6f0a0000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -)); -output( File::Spec->catfile( qw[src long foo.tgz] ), qw( -1f8b0800000000000003edd74b6e8330100660af730a2e4098c10fb63d009740 -8949501c902851c4ed6bc8ab515abaf2b485f93616c9481e64fe91bc11e10102 -18a5047899d1e30ae9e57984fe37ff074a4c4daac77a09220282dec4e9bd2bda -281287a2b65375beac2c291aa2557db2faed6618b92dc11e3fe71f5ff2ef17ce -3f81d315677f99b6556b375dd3f649b83d0014645a7f9f7f805bfe7d65eaf38f -c697453a5c4b0f0bcfff3a59276f7953eff2aa3e04dae37ec65faf20957cfe16 -10333022ca03f5f3e476fe6dd3745375e7bdb58ea2215a8ffcb7b670ae8ffff5 -e2fc871cdf5f29ae8ba30d38d7e680e0fc2ff3ff9af7e9f99f2a35dc05a54454 -3cff29fc89f9aff175fe6b9eff14e63fff8f7d59b9c9682f19c9fc1feeff93f3 -df0cf35f81411f7d1ce6bf7fe4fb3f85bd75aee1cb3f638c31c618638c31c6d8 -6c7d00dd7a588000280000 -)); -output( File::Spec->catfile( qw[src short bar.tar] ), qw( -6300000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030313030363434003030303037363500303030303032340030303030 -3030303030313500303736353133313236323500303130303330002030000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6969696969696969696969690a00000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -6400000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000030313030363434003030303037363500303030303032340030303030 -3030303030313100303736353133313236323500303130303235002030000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0075737461722020006b616e6500000000000000000000000000000000000000 -0000000000000000007374616666000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -75757575757575750a0000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -0000000000000000000000000000000000000000000000000000000000000000 -)); -output( File::Spec->catfile( qw[src short foo.tgz] ), qw( -1f8b0800000000000003edd3410ac2301085e159f71439c24cdaa6e7296a4184 -2eaabd7f87e84210ecaa23c2ff6d862403799b7792e3a9a996ae137543e9ebd4 -fc3c57e677fe60ade592fbbadfaa240dc826ebfd312e29c96d9c2fdff67c6d9a -2202c5babe697e1d06e1ce017fecf7df3efaef83fe07585fe83e000000000000 -0000000000c07fda00d45b541f00280000 -)); - -print "1..1\nok 1 - setup done\n"; Index: t/99_clean.t =================================================================== --- t/99_clean.t (.../1.30-2) (revision 32619) +++ t/99_clean.t (.../1.38-2) (revision 32619) @@ -1,38 +0,0 @@ -#!perl -BEGIN { - if( $ENV{PERL_CORE} ) { - chdir '../lib/Archive/Tar' if -d '../lib/Archive/Tar'; - } - use lib '../../..'; -} - -BEGIN { chdir 't' if -d 't' } - -use lib '../lib'; -use File::Spec (); -use Test::More 'no_plan'; - -for my $d (qw(long short)) { - for my $f (qw(b bar.tar foo.tgz)) { - - my $path = File::Spec->catfile('src', $d, $f); - ok( -e $path, "File $path exists" ); - - 1 while unlink $path; - - ok(!-e $path, " File deleted" ); - } - - my $dir = File::Spec->catdir('src', $d); - - ok( -d $dir, "Dir $dir exists" ); - 1 while rmdir $dir; - ok(!-d $dir, " Dir deleted" ); - -} - -{ my $dir = 'src'; - ok( -d $dir, "Dir $dir exists" ); - 1 while rmdir $dir; - ok(!-d $dir, " Dir deleted" ); -} Index: t/03_file.t =================================================================== --- t/03_file.t (.../1.30-2) (revision 32619) +++ t/03_file.t (.../1.38-2) (revision 32619) @@ -20,6 +20,10 @@ [ 'x/bIn1', $all_chars ], [ 'bIn2', $all_chars x 2 ], [ 'bIn0', '' ], + + ### we didnt handle 'false' filenames very well across A::T as of version + ### 1.32, as reported in #28687. Test for the handling of such files here. + [ 0, '', ], ### keep this one as the last entry [ 'x/yy/z', '', { type => DIR, Index: t/04_resolved_issues.t =================================================================== --- t/04_resolved_issues.t (.../1.30-2) (revision 32619) +++ t/04_resolved_issues.t (.../1.38-2) (revision 32619) @@ -7,20 +7,25 @@ BEGIN { chdir 't' if -d 't' } -use Test::More 'no_plan'; +use Test::More 'no_plan'; +use File::Basename 'basename'; use strict; use lib '../lib'; my $NO_UNLINK = @ARGV ? 1 : 0; my $Class = 'Archive::Tar'; +my $FileClass = $Class . '::File'; use_ok( $Class ); +use_ok( $FileClass ); ### bug #13636 ### tests for @longlink behaviour on files that have a / at the end ### of their shortened path, making them appear to be directories -{ ### dont use the prefix, otherwise A::T will not use @longlink +{ ok( 1, "Testing bug 13636" ); + + ### dont use the prefix, otherwise A::T will not use @longlink ### encoding style local $Archive::Tar::DO_NOT_USE_PREFIX = 1; local $Archive::Tar::DO_NOT_USE_PREFIX = 1; @@ -33,25 +38,25 @@ ### first create the file { my $tar = $Class->new; - isa_ok( $tar, $Class ); + isa_ok( $tar, $Class, " Object" ); ok( $tar->add_data( $dir.$file => $$ ), - " Added long file" ); + " Added long file" ); - ok( $tar->write($out), " File written to $out" ); + ok( $tar->write($out), " File written to $out" ); } ### then read it back in { my $tar = $Class->new; - isa_ok( $tar, $Class ); - ok( $tar->read( $out ), " Read in $out again" ); + isa_ok( $tar, $Class, " Object" ); + ok( $tar->read( $out ), " Read in $out again" ); my @files = $tar->get_files; - is( scalar(@files), 1, " Only 1 entry found" ); + is( scalar(@files), 1, " Only 1 entry found" ); my $entry = shift @files; - ok( $entry->is_file, " Entry is a file" ); + ok( $entry->is_file, " Entry is a file" ); is( $entry->name, $dir.$file, - " With the proper name" ); + " With the proper name" ); } ### remove the file @@ -62,38 +67,88 @@ ### There's a bug in Archive::Tar that causes a file like: foo/foo.txt ### to be stored in the tar file as: foo/.txt ### XXX could not be reproduced in 1.26 -- leave test to be sure -{ my $dir = $$ . '/'; +{ ok( 1, "Testing bug 14922" ); + + my $dir = $$ . '/'; my $file = $$ . '.txt'; my $out = $$ . '.tar'; ### first create the file { my $tar = $Class->new; - isa_ok( $tar, $Class ); + isa_ok( $tar, $Class, " Object" ); ok( $tar->add_data( $dir.$file => $$ ), - " Added long file" ); + " Added long file" ); - ok( $tar->write($out), " File written to $out" ); + ok( $tar->write($out), " File written to $out" ); } ### then read it back in { my $tar = $Class->new; - isa_ok( $tar, $Class ); - ok( $tar->read( $out ), " Read in $out again" ); + isa_ok( $tar, $Class, " Object" ); + ok( $tar->read( $out ), " Read in $out again" ); my @files = $tar->get_files; - is( scalar(@files), 1, " Only 1 entry found" ); + is( scalar(@files), 1, " Only 1 entry found" ); my $entry = shift @files; - ok( $entry->is_file, " Entry is a file" ); + ok( $entry->is_file, " Entry is a file" ); is( $entry->full_path, $dir.$file, - " With the proper name" ); + " With the proper name" ); } ### remove the file unless( $NO_UNLINK ) { 1 while unlink $out } } +### bug #30380: directory traversal vulnerability in Archive-Tar +### Archive::Tar allowed files to be extracted to a dir outside +### it's cwd(), effectively allowing you to overwrite any files +### on the system, given the right permissions. +{ ok( 1, "Testing bug 30880" ); + + my $tar = $Class->new; + isa_ok( $tar, $Class, " Object" ); + ### absolute paths are already taken care of. Only relative paths + ### matter + my $in_file = basename($0); + my $out_file = '../' . $in_file . ".$$"; + ok( $tar->add_files( $in_file ), + " Added '$in_file'" ); + ok( $tar->rename( $in_file, $out_file ), + " Renamed to '$out_file'" ); + ### first, test with strict extract permissions on + { local $Archive::Tar::INSECURE_EXTRACT_MODE = 0; + + ### we quell the error on STDERR + local $Archive::Tar::WARN = 0; + local $Archive::Tar::WARN = 0; + + ok( 1, " Extracting in secure mode" ); + + ok( ! $tar->extract_file( $out_file ), + " File not extracted" ); + ok( ! -e $out_file, " File '$out_file' does not exist" ); + + ok( $tar->error, " Error message stored" ); + like( $tar->error, qr/attempting to leave/, + " Proper violation detected" ); + } + + ### now disable those + { local $Archive::Tar::INSECURE_EXTRACT_MODE = 1; + ok( 1, " Extracting in insecure mode" ); + + ok( $tar->extract_file( $out_file ), + " File extracted" ); + ok( -e $out_file, " File '$out_file' exists" ); + + ### and clean up + unless( $NO_UNLINK ) { 1 while unlink $out_file }; + } + + +} Index: t/02_methods.t =================================================================== --- t/02_methods.t (.../1.30-2) (revision 32619) +++ t/02_methods.t (.../1.38-2) (revision 32619) @@ -65,8 +65,11 @@ && length( cwd(). $LONG_FILE ) > 247; ### warn if we are going to skip long file names -$TOO_LONG ? diag("No long filename support - long filename extraction disabled") - : ( push @EXPECT_NORMAL, [ [], $LONG_FILE, qr/^hello\s*$/] ) ; +if ($TOO_LONG) { + diag("No long filename support - long filename extraction disabled") if ! $ENV{PERL_CORE}; +} else { + push @EXPECT_NORMAL, [ [], $LONG_FILE, qr/^hello\s*$/]; +} my @ROOT = grep { length } 'src', $TOO_LONG ? 'short' : 'long'; @@ -131,6 +134,18 @@ ### check if ->error eq $error is( $tar->error, $Archive::Tar::error, '$error matches error() method' ); + + ### check that 'contains_file' doesn't warn about missing files. + { ### turn on warnings in general! + local $Archive::Tar::WARN = 1; + + my $warnings = ''; + local $SIG{__WARN__} = sub { $warnings .= "@_" }; + + my $rv = $tar->contains_file( $$ ); + ok( !$rv, "Does not contain file '$$'" ); + is( $warnings, '', " No warnings issued during lookup" ); + } } ### read tests ### Index: t/src/long/b =================================================================== --- t/src/long/b (.../1.30-2) (revision 0) +++ t/src/long/b (.../1.38-2) (revision 32619) @@ -0,0 +1 @@ +bbbbbbbbbbb Index: t/src/long/foo.tgz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: t/src/long/foo.tgz ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Index: t/src/long/bar.tar =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: t/src/long/bar.tar ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Index: t/src/short/b =================================================================== --- t/src/short/b (.../1.30-2) (revision 0) +++ t/src/short/b (.../1.38-2) (revision 32619) @@ -0,0 +1 @@ +bbbbbbbbbbb Index: t/src/short/foo.tgz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: t/src/short/foo.tgz ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Index: t/src/short/bar.tar =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: t/src/short/bar.tar ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Index: MANIFEST =================================================================== --- MANIFEST (.../1.30-2) (revision 32619) +++ MANIFEST (.../1.38-2) (revision 32619) @@ -7,11 +7,15 @@ Makefile.PL MANIFEST This list of files README -t/00_setup.t t/01_use.t t/02_methods.t t/03_file.t t/04_resolved_issues.t -t/99_clean.t t/99_pod.t +t/src/long/b +t/src/long/bar.tar +t/src/long/foo.tgz +t/src/short/b +t/src/short/bar.tar +t/src/short/foo.tgz META.yml Module meta-data (added by MakeMaker) Index: META.yml =================================================================== --- META.yml (.../1.30-2) (revision 32619) +++ META.yml (.../1.38-2) (revision 32619) @@ -1,7 +1,7 @@ # http://module-build.sourceforge.net/META-spec.html #XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX# name: Archive-Tar -version: 1.30 +version: 1.38 version_from: lib/Archive/Tar.pm installdirs: site requires: Index: lib/Archive/Tar.pm =================================================================== --- lib/Archive/Tar.pm (.../1.30-2) (revision 32619) +++ lib/Archive/Tar.pm (.../1.38-2) (revision 32619) @@ -9,15 +9,18 @@ use strict; use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD - $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING]; + $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING + $INSECURE_EXTRACT_MODE + ]; -$DEBUG = 0; -$WARN = 1; -$FOLLOW_SYMLINK = 0; -$VERSION = "1.30"; -$CHOWN = 1; -$CHMOD = 1; -$DO_NOT_USE_PREFIX = 0; +$DEBUG = 0; +$WARN = 1; +$FOLLOW_SYMLINK = 0; +$VERSION = "1.38"; +$CHOWN = 1; +$CHMOD = 1; +$DO_NOT_USE_PREFIX = 0; +$INSECURE_EXTRACT_MODE = 0; BEGIN { use Config; @@ -303,7 +306,7 @@ if ( $entry->is_file && !$entry->validate ) { ### sometimes the chunk is rather fux0r3d and a whole 512 - ### bytes ends p in the ->name area. + ### bytes ends up in the ->name area. ### clean it up, if need be my $name = $entry->name; $name = substr($name, 0, 100) if length $name > 100; @@ -328,7 +331,7 @@ } ### throw away trailing garbage ### - substr ($$data, $entry->size) = ""; + substr ($$data, $entry->size) = "" if defined $$data; ### part II of the @LongLink munging -- need to do /after/ ### the checksum check. @@ -406,8 +409,13 @@ sub contains_file { my $self = shift; - my $full = shift or return; + my $full = shift; + + return unless defined $full; + ### don't warn if the entry isn't there.. that's what this function + ### is for after all. + local $WARN = 0; return 1 if $self->_find_entry($full); return; } @@ -491,7 +499,7 @@ =head2 $tar->extract_file( $file, [$extract_path] ) Write an entry, whose name is equivalent to the file name provided to -disk. Optionally takes a second parameter, which is the full (unix) +disk. Optionally takes a second parameter, which is the full native path (including filename) the entry will be written to. For example: @@ -506,7 +514,7 @@ sub extract_file { my $self = shift; - my $file = shift or return; + my $file = shift; return unless defined $file; my $alt = shift; my $entry = $self->_find_entry( $file ) @@ -537,16 +545,68 @@ my $dir; ### is $name an absolute path? ### if( File::Spec->file_name_is_absolute( $dirs ) ) { + + ### absolute names are not allowed to be in tarballs under + ### strict mode, so only allow it if a user tells us to do it + if( not defined $alt and not $INSECURE_EXTRACT_MODE ) { + $self->_error( + q[Entry ']. $entry->full_path .q[' is an absolute path. ]. + q[Not extracting absolute paths under SECURE EXTRACT MODE] + ); + return; + } + + ### user asked us to, it's fine. $dir = $dirs; ### it's a relative path ### } else { my $cwd = (defined $self->{cwd} ? $self->{cwd} : cwd()); - my @dirs = File::Spec::Unix->splitdir( $dirs ); - my @cwd = File::Spec->splitdir( $cwd ); - $dir = File::Spec->catdir( @cwd, @dirs ); - # catdir() returns undef if the path is longer than 255 chars on VMS + my @dirs = defined $alt + ? File::Spec->splitdir( $dirs ) # It's a local-OS path + : File::Spec::Unix->splitdir( $dirs ); # it's UNIX-style, likely + # straight from the tarball + + ### paths that leave the current directory are not allowed under + ### strict mode, so only allow it if a user tells us to do this. + if( not defined $alt and + not $INSECURE_EXTRACT_MODE and + grep { $_ eq '..' } @dirs + ) { + $self->_error( + q[Entry ']. $entry->full_path .q[' is attempting to leave the ]. + q[current working directory. Not extracting under SECURE ]. + q[EXTRACT MODE] + ); + return; + } + + ### '.' is the directory delimiter, of which the first one has to + ### be escaped/changed. + map tr/\./_/, @dirs if ON_VMS; + + my ($cwd_vol,$cwd_dir,$cwd_file) + = File::Spec->splitpath( $cwd ); + my @cwd = File::Spec->splitdir( $cwd_dir ); + push @cwd, $cwd_file if length $cwd_file; + + ### We need to pass '' as the last elemant to catpath. Craig Berry + ### explains why (msgid <p0624083dc311ae541393@[172.16.52.1]>): + ### The root problem is that splitpath on UNIX always returns the + ### final path element as a file even if it is a directory, and of + ### course there is no way it can know the difference without checking + ### against the filesystem, which it is documented as not doing. When + ### you turn around and call catpath, on VMS you have to know which bits + ### are directory bits and which bits are file bits. In this case we + ### know the result should be a directory. I had thought you could omit + ### the file argument to catpath in such a case, but apparently on UNIX + ### you can't. + $dir = File::Spec->catpath( + $cwd_vol, File::Spec->catdir( @cwd, @dirs ), '' + ); + + ### catdir() returns undef if the path is longer than 255 chars on VMS unless ( defined $dir ) { $^W && $self->_error( qq[Could not compose a path for '$dirs'\n] ); return; @@ -565,6 +625,17 @@ $self->_error( qq[Could not create directory '$dir': $@] ); return; } + + ### XXX chown here? that might not be the same as in the archive + ### as we're only chown'ing to the owner of the file we're extracting + ### not to the owner of the directory itself, which may or may not + ### be another entry in the archive + ### Answer: no, gnu tar doesn't do it either, it'd be the wrong + ### way to go. + #if( $CHOWN && CAN_CHOWN ) { + # chown $entry->uid, $entry->gid, $dir or + # $self->_error( qq[Could not set uid/gid on '$dir'] ); + #} } ### we're done if we just needed to create a dir ### @@ -1116,7 +1187,7 @@ my @rv; for my $file ( @files ) { - unless( -e $file ) { + unless( -e $file || -l $file ) { $self->_error( qq[No such file: '$file'] ); next; } @@ -1511,6 +1582,23 @@ warn $tar->error unless $tar->extract; +=head2 $Archive::Tar::INSECURE_EXTRACT_MODE + +This variable indicates whether C<Archive::Tar> should allow +files to be extracted outside their current working directory. + +Allowing this could have security implications, as a malicious +tar archive could alter or replace any file the extracting user +has permissions to. Therefor, the default is to not allow +insecure extractions. + +If you trust the archive, or have other reasons to allow the +archive to write files outside your current working directory, +set this variable to C<true>. + +Note that this is a backwards incompatible change from version +C<1.36> and before. + =head2 $Archive::Tar::HAS_PERLIO This variable holds a boolean indicating if we currently have @@ -1595,6 +1683,10 @@ C<$Archive::Tar::DO_NOT_USE_PREFIX> variable to C<true>. See the C<GLOBAL VARIABLES> section for details on this variable. +Note that GNU tar earlier than version 1.14 does not cope well with +the C<POSIX header prefix>. If you use such a version, consider setting +the C<$Archive::Tar::DO_NOT_USE_PREFIX> variable to C<true>. + =item How do I extract only files that have property X from an archive? Sometimes, you might not wish to extract a complete archive, just @@ -1651,7 +1743,57 @@ $tar->write($fh); $fh->close ; +=item How do I handle Unicode strings? +C<Archive::Tar> uses byte semantics for any files it reads from or writes +to disk. This is not a problem if you only deal with files and never +look at their content or work solely with byte strings. But if you use +Unicode strings with character semantics, some additional steps need +to be taken. + +For example, if you add a Unicode string like + + # Problem + $tar->add_data('file.txt', "Euro: \x{20AC}"); + +then there will be a problem later when the tarfile gets written out +to disk via C<$tar->write()>: + + Wide character in print at .../Archive/Tar.pm line 1014. + +The data was added as a Unicode string and when writing it out to disk, +the C<:utf8> line discipline wasn't set by C<Archive::Tar>, so Perl +tried to convert the string to ISO-8859 and failed. The written file +now contains garbage. + +For this reason, Unicode strings need to be converted to UTF-8-encoded +bytestrings before they are handed off to C<add_data()>: + + use Encode; + my $data = "Accented character: \x{20AC}"; + $data = encode('utf8', $data); + + $tar->add_data('file.txt', $data); + +A opposite problem occurs if you extract a UTF8-encoded file from a +tarball. Using C<get_content()> on the C<Archive::Tar::File> object +will return its content as a bytestring, not as a Unicode string. + +If you want it to be a Unicode string (because you want character +semantics with operations like regular expression matching), you need +to decode the UTF8-encoded content and have Perl convert it into +a Unicode string: + + use Encode; + my $data = $tar->get_content(); + + # Make it a Unicode string + $data = decode('utf8', $data); + +There is no easy way to provide this functionality in C<Archive::Tar>, +because a tarball can contain many files, and each of which could be +encoded in a different way. + =back =head1 TODO @@ -1704,9 +1846,10 @@ =head1 AUTHOR -This module by -Jos Boumans E<lt>kane@cpan.orgE<gt>. +This module by Jos Boumans E<lt>kane@cpan.orgE<gt>. +Please reports bugs to E<lt>bug-archive-tar@rt.cpan.orgE<gt>. + =head1 ACKNOWLEDGEMENTS Thanks to Sean Burke, Chris Nandor, Chip Salzenberg, Tim Heaney and @@ -1714,12 +1857,10 @@ =head1 COPYRIGHT -This module is -copyright (c) 2002 Jos Boumans E<lt>kane@cpan.orgE<gt>. -All rights reserved. +This module is copyright (c) 2002 - 2007 Jos Boumans +E<lt>kane@cpan.orgE<gt>. All rights reserved. -This library is free software; -you may redistribute and/or modify it under the same -terms as Perl itself. +This library is free software; you may redistribute and/or modify +it under the same terms as Perl itself. =cut Index: lib/Archive/Tar/Constant.pm =================================================================== --- lib/Archive/Tar/Constant.pm (.../1.30-2) (revision 32619) +++ lib/Archive/Tar/Constant.pm (.../1.38-2) (revision 32619) @@ -10,7 +10,7 @@ BLOCK_SIZE TAR_PAD TAR_END ON_UNIX BLOCK CAN_READLINK MAGIC TAR_VERSION UNAME GNAME CAN_CHOWN MODE CHECK_SUM UID GID GZIP_MAGIC_NUM MODE_READ LONGLINK LONGLINK_NAME PREFIX_LENGTH - LABEL NAME_LENGTH STRIP_MODE + LABEL NAME_LENGTH STRIP_MODE ON_VMS ]; require Time::Local if $^O eq "MacOS"; @@ -43,8 +43,8 @@ # Pointless assignment to make -w shut up my $getpwuid; $getpwuid = 'unknown' unless eval { my $f = getpwuid (0); }; my $getgrgid; $getgrgid = 'unknown' unless eval { my $f = getgrgid (0); }; -use constant UNAME => sub { $getpwuid || scalar getpwuid( shift() ) }; -use constant GNAME => sub { $getgrgid || scalar getgrgid( shift() ) }; +use constant UNAME => sub { $getpwuid || scalar getpwuid( shift() ) || '' }; +use constant GNAME => sub { $getgrgid || scalar getgrgid( shift() ) || '' }; use constant UID => $>; use constant GID => (split ' ', $) )[0]; @@ -73,5 +73,6 @@ use constant CAN_CHOWN => do { ($> == 0 and $^O ne "MacOS" and $^O ne "MSWin32") }; use constant CAN_READLINK => ($^O ne 'MSWin32' and $^O !~ /RISC(?:[ _])?OS/i and $^O ne 'VMS'); use constant ON_UNIX => ($^O ne 'MSWin32' and $^O ne 'MacOS' and $^O ne 'VMS'); +use constant ON_VMS => $^O eq 'VMS'; 1; Index: lib/Archive/Tar/File.pm =================================================================== --- lib/Archive/Tar/File.pm (.../1.30-2) (revision 32619) +++ lib/Archive/Tar/File.pm (.../1.38-2) (revision 32619) @@ -200,7 +200,7 @@ sub _new_from_chunk { my $class = shift; - my $chunk = shift or return; + my $chunk = shift or return; # 512 bytes of tar header my %hash = @_; ### filter any arguments on defined-ness of values. @@ -233,18 +233,34 @@ sub _new_from_file { my $class = shift; - my $path = shift or return; + my $path = shift; + + ### path has to at least exist + return unless defined $path; + my $type = __PACKAGE__->_filetype($path); my $data = ''; - unless ($type == DIR) { - my $fh = IO::File->new; - $fh->open($path) or return; + READ: { + unless ($type == DIR ) { + my $fh = IO::File->new; + + unless( $fh->open($path) ) { + ### dangling symlinks are fine, stop reading but continue + ### creating the object + last READ if $type == SYMLINK; + + ### otherwise, return from this function -- + ### anything that's *not* a symlink should be + ### resolvable + return; + } - ### binmode needed to read files properly on win32 ### - binmode $fh; - $data = do { local $/; <$fh> }; - close $fh; + ### binmode needed to read files properly on win32 ### + binmode $fh; + $data = do { local $/; <$fh> }; + close $fh; + } } my @items = qw[mode uid gid size mtime]; @@ -292,7 +308,7 @@ sub _new_from_data { my $class = shift; - my $path = shift or return; + my $path = shift; return unless defined $path; my $data = shift; return unless defined $data; my $opt = shift; @@ -359,7 +375,9 @@ sub _filetype { my $self = shift; - my $file = shift or return; + my $file = shift; + + return unless defined $file; return SYMLINK if (-l $file); # Symlink @@ -503,7 +521,9 @@ sub rename { my $self = shift; - my $path = shift or return; + my $path = shift; + + return unless defined $path; my ($prefix,$file) = $self->_prefix_and_file( $path ); Index: CHANGES =================================================================== --- CHANGES (.../1.30-2) (revision 32619) +++ CHANGES (.../1.38-2) (revision 32619) @@ -1,3 +1,49 @@ +* important changes in vesrion 1.38 14/12/2007: +- Promote 1.37_01 to stable. + +* important changes in version 1.37_01 11/11/2007: +_ Address #30380: directory traversal vulnerability in Archive-Tar + - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing + archives to extract files outside of cwd(). This is a backwards + incompatible change from 1.36 and before. + - Add a -I option to ptar to enable insecure extraction if needed + +* important changes in version 1.36 16/9/2007: +- Portability fixes for VMS, as offered by Craig Berry. + +* important changes in version 1.34 15/8/2007: +- Address #28687: Fwd: Unespected reaction of Archive::Tar + A::T didn't always handle filenames that evaluated to false + (like '0') gracefully. This patch adds a few 'or defined' check + to the A::T codebase and a test to ensure filenames like '0' are + handeled correctly. +- Apply #28407: Unicode and Archive::Tar - documentation patch as + FAQ patch + +* important changes in version 1.32 25/7/2007: +- Apply #28407: Unicode and Archive::Tar - documentation patch as + FAQ patch +- Following a report from rgs that A::T 1.31 doesn't play nicely + with -Dmksymlinks under perl core, rewrite the symlink logic in + A::T::File->new to continue building an object when reading a + symlink fails, rather than refusing to read on a symlink (which + is obviously wrong) +- Quell warnings when a gid is not resolvable to a group name + +* important changes in version 1.31 18/5/2007: +- No longer use the t/setup.t and t/cleanup.t files but just bundle + the binary files; this was done for core integration, but the new + uupacktool.pl script means we dont have to do this anymore +_ Apply core perl Change 30997 by rgs@stcosmo on 2007/04/20 15:03:57 +- Address: #27124: Unneeded warning sent when checking for file + inclusion contains_file() will no longer warn to STDERR when a file + is not contained in an archive and $WARN is set to 'true'. +- Address #26492: Dangling symlinks not preserved: Archive::Tar used + to complain about dangling symlinks, unlike standard gnu tar, which + would add them silently. This patch brings A::T's behaviour in line + with gnu tar +- Minor pod fixes + * important changes in version 1.30 8/2/2006: - applied bleadperl patch: Subject: Change 27416: Cleanup Archive-Tar temporary test files Index: bin/ptar =================================================================== --- bin/ptar (.../1.30-2) (revision 32619) +++ bin/ptar (.../1.38-2) (revision 32619) @@ -6,14 +6,17 @@ use File::Find; my $opts = {}; -getopts('dcvzthxf:', $opts) or die usage(); +getopts('dcvzthxf:I', $opts) or die usage(); ### show the help message ### die usage() if $opts->{h}; ### enable debugging (undocumented feature) -local $Archive::Tar::DEBUG = 1 if $opts->{d}; +local $Archive::Tar::DEBUG = 1 if $opts->{d}; +### enable insecure extracting. +local $Archive::Tar::INSECURE_EXTRACT_MODE = 1 if $opts->{I}; + ### sanity checks ### unless ( 1 == grep { defined $opts->{$_} } qw[x t c] ) { die "You need exactly one of 'x', 't' or 'c' options: " . usage(); @@ -24,6 +27,7 @@ my $file = $opts->{f} ? $opts->{f} : 'default.tar'; my $tar = Archive::Tar->new(); + if( $opts->{c} ) { my @files; find( sub { push @files, $File::Find::name; @@ -64,6 +68,8 @@ z Read/Write zlib compressed ARCHIVE_FILE (not always available) v Print filenames as they are added or extraced from ARCHIVE_FILE h Prints this help message + I Enable 'Insecure Extract Mode', which allows archives to extract + files outside the current working directory. (Not advised). See Also: tar(1)
Attachment:
signature.asc
Description: Digital signature