[deliberately not sent to the -public list] Hi guys, You've probably heard about the latest exploitable tar bug: If you unpack a malicious tar archive, it can overwrite (through e.g., ../..) any number of your key files with tarball-supplied contents. Fixed only recently in GNU tar for the upcoming 1.18.1 release.
It would be prudent to install the fixed version wherever root might unpack an untrusted tarball or forget to verify a signature or checksum before unpacking what they think is a trusted tarball (imagine a cracked mirror of trusted sources): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 Most vendors already have the fix. E.g., 1.18-2 in Debian. Is there policy for this on savannah? The installed tar is version 1.16,
