From d6e0b959c092f81aead2d69c07e9dc2c9344e3a7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 06 2019 10:01:49 +0000
Subject: import perl-Archive-Tar-1.92-3.el7


---

diff --git a/SOURCES/Archive-Tar-2.28-Fixed-CVE-2018-12015.patch b/SOURCES/Archive-Tar-2.28-Fixed-CVE-2018-12015.patch
new file mode 100644
index 0000000..08b1646
--- /dev/null
+++ b/SOURCES/Archive-Tar-2.28-Fixed-CVE-2018-12015.patch
@@ -0,0 +1,41 @@
+From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Jun 2018 11:45:40 +0100
+Subject: [PATCH] [PATCH] Remove existing files before overwriting them
+
+Archive should extract only the latest same-named entry.
+Extracted regular file should not be writtent into existing block
+device (or any other one).
+
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+---
+ lib/Archive/Tar.pm | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/lib/Archive/Tar.pm b/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/lib/Archive/Tar.pm
++++ b/lib/Archive/Tar.pm
+@@ -842,6 +842,20 @@ sub _extract_file {
+         return;
+     }
+ 
++    ### If a file system already contains a block device with the same name as
++    ### the being extracted regular file, we would write the file's content
++    ### to the block device. So remove the existing file (block device) now.
++    ### If an archive contains multiple same-named entries, the last one
++    ### should replace the previous ones. So remove the old file now.
++    ### If the old entry is a symlink to a file outside of the CWD, the new
++    ### entry would create a file there. This is CVE-2018-12015
++    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++    if (-l $full || -e _) {
++	if (!unlink $full) {
++	    $self->_error( qq[Could not remove old file '$full': $!] );
++	    return;
++	}
++    }
+     if( length $entry->type && $entry->is_file ) {
+         my $fh = IO::File->new;
+         $fh->open( '>' . $full ) or (
diff --git a/SPECS/perl-Archive-Tar.spec b/SPECS/perl-Archive-Tar.spec
index 23e1e9c..8ca767f 100644
--- a/SPECS/perl-Archive-Tar.spec
+++ b/SPECS/perl-Archive-Tar.spec
@@ -1,11 +1,13 @@
 Name:           perl-Archive-Tar
 Version:        1.92
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A module for Perl manipulation of .tar files
 Group:          Development/Libraries
 License:        GPL+ or Artistic
 URL:            http://search.cpan.org/dist/Archive-Tar/
 Source0:        http://www.cpan.org/authors/id/B/BI/BINGOS/Archive-Tar-%{version}.tar.gz
+# Directory traversal in Archive::Tar, CVE-2018-12015, CPAN RT#125523
+Patch0:         Archive-Tar-2.28-Fixed-CVE-2018-12015.patch
 BuildArch:      noarch
 # Most of the BRS are needed only for tests, compression support at run-time
 # is optional soft dependency.
@@ -52,6 +54,7 @@ will also support compressed or gzipped tar files.
 
 %prep
 %setup -q -n Archive-Tar-%{version}
+%patch0 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -74,6 +77,9 @@ make test
 
 
 %changelog
+* Thu Jan 17 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1.92-3
+- CVE-2018-12015 - Directory traversal in Archive::Tar (bug #1592803)
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.92-2
 - Mass rebuild 2013-12-27