- add security patch into devel branch

tar-1.15.1-mangling.patch

@@ -0,0 +1,59 @@
+--- tar-1.15.1/src/common.h.mangling	2006-12-04 12:47:40.000000000 +0100
++++ tar-1.15.1/src/common.h	2006-12-04 12:47:40.000000000 +0100
+@@ -124,6 +124,9 @@
+ 
+ GLOBAL bool absolute_names_option;
+ 
++/* Allow GNUTYPE_NAMES type? */
++GLOBAL bool allow_name_mangling_option;
++
+ /* Display file times in UTC */
+ GLOBAL bool utc_option;
+ 
+--- tar-1.15.1/src/extract.c.mangling	2006-12-04 12:47:40.000000000 +0100
++++ tar-1.15.1/src/extract.c	2006-12-04 12:47:40.000000000 +0100
+@@ -1171,7 +1171,13 @@
+       break;
+ 
+     case GNUTYPE_NAMES:
+-      extract_mangle ();
++      if (allow_name_mangling_option) {
++          extract_mangle ();
++      }
++      else {
++          ERROR ((0, 0, _("GNUTYPE_NAMES mangling ignored")));
++          skip_member ();
++      }
+       break;
+ 
+     case GNUTYPE_MULTIVOL:
+--- tar-1.15.1/src/tar.c.mangling	2006-12-04 12:47:40.000000000 +0100
++++ tar-1.15.1/src/tar.c	2006-12-04 12:55:35.000000000 +0100
+@@ -182,6 +182,7 @@
+ {
+   ACLS_OPTION = CHAR_MAX + 1,
+   ANCHORED_OPTION,
++  ALLOW_NAME_MANGLING_OPTION,
+   ATIME_PRESERVE_OPTION,
+   BACKUP_OPTION,
+   CHECKPOINT_OPTION,
+@@ -546,6 +547,8 @@
+ 
+   {NULL, 'o', 0, 0,
+    N_("when creating, same as --old-archive. When extracting, same as --no-same-owner"), 91 },
++  {"allow-name-mangling", ALLOW_NAME_MANGLING_OPTION, 0, 0,
++   N_("when creating, allow GNUTYPE_NAMES mangling -- considered dangerous"), 91 },
+ 
+   {NULL, 0, NULL, 0,
+    N_("Other options:"), 100 },
+@@ -931,6 +934,10 @@
+     case 'Z':
+       set_use_compress_program_option ("compress");
+       break;
++
++    case ALLOW_NAME_MANGLING_OPTION:
++      allow_name_mangling_option = true;
++      break;
+       
+     case ANCHORED_OPTION:
+       args->exclude_options |= EXCLUDE_ANCHORED;

tar.spec

@@ -2,7 +2,7 @@ Summary: A GNU file archiving program
 Name: tar
 Epoch: 2
 Version: 1.15.1
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPL
 Group: Applications/Archiving
 URL: http://www.gnu.org/software/tar/
@@ -24,6 +24,7 @@ Patch12: tar-1.15.1-optionsOrder.patch
 Patch13: tar-1.15.1-permissions.patch
 Patch14: tar-1.15.1-incompatibilities.patch
 Patch15: tar-1.15.1-xattrs.patch
+Patch16: tar-1.15.1-mangling.patch
 Prereq: info
 BuildRequires: autoconf automake gzip
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -57,6 +58,7 @@ the rmt package.
 %patch13 -p1 -b .permissions
 %patch14 -p1 -b .incompatibilities
 %patch15 -p1 -b .xattrs
+%patch16 -p1 -b .mangling
 
 %build
 %configure --bindir=/bin --libexecdir=/sbin
@@ -113,6 +115,9 @@ fi
 %{_infodir}/tar.info*
 
 %changelog
+* Tue Dec 12 2006 Florian La Roche <laroche@redhat.com> 2:1.15.1-23
+- fix CVE-2006-6097 GNU tar directory traversal (#216937)
+
 * Sat Dec 10 2006 Peter Vrabec <pvrabec@redhat.com> 2:1.15.1-22
 - fix some rpmlint spec file issues