In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Created perl tracking bugs for this issue: Affects: fedora-all [bug 1588761]
Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide Archive::Tar module by perl source package, but by perl-Archive-Tar source package.
(In reply to Petr Pisar from comment #2) > Please note that all Fedoras, RHSCLs and RHEL ≥ 7 do not provide > Archive::Tar module by perl source package, but by perl-Archive-Tar source > package. Corrected. However, it seems that RHEL-5 also provides perl-Archive-Tar as source (i.e.: only RHEL-6 has Archive::Tar merged into perl source)
(In reply to Cedric Buissart from comment #3) > However, it seems that RHEL-5 also provides perl-Archive-Tar as > source (i.e.: only RHEL-6 has Archive::Tar merged into perl source) You are right. RHEL-5 also has a standalone perl-Archive-Tar. perl-5.8.8 never distributed Archive::Tar because upstream started to bundle it with perl sources since 5.9.3.
Created perl-Archive-Tar tracking bugs for this issue: Affects: fedora-all [bug 1591205]
perl-Archive-Tar-2.28-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
perl-Archive-Tar-2.28-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Upstream fix: https://github.com/jib/archive-tar-new/commit/ae65651eab05
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2097 https://access.redhat.com/errata/RHSA-2019:2097
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-12015