Product SiteDocumentation Site

1.202. tar

1.202.1. RHSA-2010:0141: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0141
An updated tar package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive.
A heap-based buffer overflow flaw was found in the way tar expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the tar executable to crash or execute arbitrary code with the privileges of the user running tar. (CVE-2010-0624)
Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624 issue.
A denial of service flaw was found in the way tar expanded archive files. If a user expanded a specially-crafted archive, it could cause the tar executable to crash. (CVE-2007-4476)
Users of tar are advised to upgrade to this updated package, which contains backported patches to correct these issues.

1.202.2. RHBA-2010:0224: bug fix and enhancement update

An updated tar package that fixes several bugs and adds various enhancements is now available.
The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive.
This updated tar package provides fixes for the following bugs:
* using the tar command's "-f [hostname]:[file]" option to specify a host on which to carry out operations on an archive failed with a "Cannot open: Input/output error" message. This error occured when the rsh (remote shell) program was not available on the system on which the "tar" command was built. With this update, the tar package's spec file now lists the rsh package as a build dependency. Supplying the "-f [hostname]:[file]" option now works as expected. (BZ#294661)
* the tar(1) man page incorrectly stated that the "--occurrence=N" option causes tar to process the first N occurrences of each file in the archive. The man page has been updated to reflect the actual behavior, which is to process only the Nth occurrence of each file in the archive. (BZ#429522)
* extracting a tar archive that had been created using the "--xattrs" flag, which saves extended attribute information to the file, resulted in tar displaying "Warning: Cannot acl_from_text: Invalid argument" error messages for many extracted files. This was caused by an off-by-one coding error, and has been fixed in this update so that extended attributes are restored correctly from archive files. (BZ#472553)
* the tar command's "--keep-newer-files" flag informs tar not to replace existing files that are newer than their archive copies. When restoring from an archive while using this option, tar incorrectly removed older files. With this update, tar does not remove older files when the "--keep-newer-files" flag is used to restore an archive. (BZ#495686)
* extracting files from a tar archive when using the "--no-wildcards" flag to disable wildcard character interpretation did not work as expected: wildcard characters such as '*', '[' and '?' still affected file name matches. With this update, the "--no-wildcards" flag correctly disables wildcard syntax so that file names are matched literally. (BZ#510714)
* creating a tar archive which contained one or more directories with default extended attributes set, and then extracting that archive using the "--xattrs" flag on an Access Control List-enabled file system, did not result in the restoration of those directories' extended attributes. This has been fixed in this update so that directories' extended attributes are retained as expected when the tar archive is created and extracted appropriately. (BZ#512097)
* installing the tar package with the "rpm -i --excludedocs" command resulted in "install-info: No such file or directory" error messages. With this update, installing tar while excluding files marked as documentation completes successfully, and without error messages. (BZ#530955)
* attempting to extract a file smaller than 512 bytes from a tar archive resulted in an exit code of 0, indicating success, even though such files are not valid archives. With this update, tar returns an exit code of 2 and displays an error message when attempting to extract too-small files. (BZ#544427)
In addition, this updated package provides the following enhancements:
* previously, tar's support for preserving metadata information on files and directories suffered from several limitations: the value of any extended attribute was limited to 5 bytes, and it was not possible to preserve SELinux context and extended attribute information on symbolic links. This update allows both kinds of information to be preserved for symlinks, and removes the 5-byte limit on extended attributes values. (BZ#518208)
* the gtar(1) man page is newly included in this updated package. (BZ#530956)
Users are advised to upgrade to this updated tar package, which resolves these issues and adds these enhancements.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.