This update for tar fixes the following issues:
-
CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
-
CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
-
CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).
-
Update to GNU tar 1.34:
- Fix extraction over pipe
- Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
- Fix extraction when . and .. are unreadable
- Gracefully handle duplicate symlinks when extracting
- Re-initialize supplementary groups when switching to user
privileges
-
Update to GNU tar 1.33:
- POSIX extended format headers do not include PID by default
- --delay-directory-restore works for archives with reversed
member ordering
- Fix extraction of a symbolic link hardlinked to another
symbolic link
- Wildcards in exclude-vcs-ignore mode don't match slash
- Fix the --no-overwrite-dir option
- Fix handling of chained renames in incremental backups
- Link counting works for file names supplied with -T
- Accept only position-sensitive (file-selection) options in file
list files
-
prepare usrmerge (bsc#1029961)
-
Update to GNU 1.32
- Fix the use of --checkpoint without explicit --checkpoint-action
- Fix extraction with the -U option
- Fix iconv usage on BSD-based systems
- Fix possible NULL dereference (savannah bug #55369)
[bsc#1130496] [CVE-2019-9923]
- Improve the testsuite
-
Update to GNU 1.31
- Fix heap-buffer-overrun with --one-top-level, bug introduced
with the addition of that option in 1.28
- Support for zstd compression
- New option '--zstd' instructs tar to use zstd as compression
program. When listing, extractng and comparing, zstd compressed
archives are recognized automatically. When '-a' option is in
effect, zstd compression is selected if the destination archive
name ends in '.zst' or '.tzst'.
- The -K option interacts properly with...