UbuntuUpdates.org

Package "tar"

Name: tar

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • optional scripts for GNU version of the tar archiving utility

Latest version: 1.35+dfsg-4ubuntu0.3
Release: resolute (26.04)
Level: security
Repository: universe

Links



Other versions of "tar" in Resolute

Repository Area Version
base universe 1.35+dfsg-4
base main 1.35+dfsg-4
security main 1.35+dfsg-4ubuntu0.3
updates main 1.35+dfsg-4ubuntu0.2
updates universe 1.35+dfsg-4ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.35+dfsg-4ubuntu0.3 2026-07-16 21:08:18 UTC

  tar (1.35+dfsg-4ubuntu0.3) resolute-security; urgency=medium

  * SECURITY REGRESSION: Extract files issue
    - debian/patches/CVE-2026-5704-*.patch: address a regression
      that makes valid files not extract in src/list.c,
      tests/Makefile.am, tests/extrac32.at, tests/extrac34.at,
      test/testsuite.at, src/extract.c, tests/extract23,
      tests/extrac30.at (LP: #2160650).

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 15 Jul 2026 08:59:43 -0300

Source diff to previous version
2160650 tar after USN-8477-1 cannot extract previously valid files
CVE-2026-5704 A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fu

Version: 1.35+dfsg-4ubuntu0.2 2026-07-06 14:08:32 UTC

  tar (1.35+dfsg-4ubuntu0.2) resolute-security; urgency=medium

  * SECURITY UPDATE: File overwrite via directory traversal
    - debian/patches/CVE-2025-45582-*.patch: Backport openat2 support in
      order to jailify the extraction directory.
    - CVE-2025-45582

 -- Marc Deslauriers <email address hidden> Sat, 27 Jun 2026 19:09:16 -0400

Source diff to previous version
CVE-2025-45582 GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must e

Version: 1.35+dfsg-4ubuntu0.1 2026-06-25 22:07:33 UTC

  tar (1.35+dfsg-4ubuntu0.1) resolute-security; urgency=medium

  * SECURITY UPDATE: file injection via crafted archive
    - debian/patches/CVE-2026-5704.patch: always call skip_member() after
      extraction in src/extract.c, fix skim_member() to skip directory data
      in src/list.c, remove conditional skip_member() call from
      purge_directory in src/incremen.c
    - CVE-2026-5704

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 19 Jun 2026 11:01:00 -0300

CVE-2026-5704 A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fu



About   -   Send Feedback to @ubuntu_updates