pkgsrc.se | The NetBSD package collection

./sysutils/tarsnap, Secure online backup service

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2015Q2, Version: 1.0.36.1, Package name: tarsnap-1.0.36.1, Maintainer: pkgsrc-users

Tarsnap is a secure online backup service for BSD, Linux, OS X,
Solaris, Cygwin, and can probably be compiled on many other UNIX-like
operating systems. The Tarsnap client code provides a flexible and
powerful command-line interface which can be used directly or via
shell scripts.

Master sites:

https://www.tarsnap.com/download/ (Download)

SHA1: d678c2d7701f013901540dab6899aca9ea5e146f
RMD160: 1b0c780f743367f12cd2a7738b63aefd6554e982
Filesize: 601.308 KB

Version history: (Expand)

(2015-08-25) Updated to version: tarsnap-1.0.36.1
(2015-07-04) Package added to pkgsrc.se, version tarsnap-1.0.35 (created)

CVS history: (Expand)

2015-08-24 21:10:30 by Matthias Scheler | Files touched by this commit (2) | Package updated

Log message:
Pullup ticket #4797 - requested by wiz
sysutils/tarsnap: security update

Revisions pulled up:
- sysutils/tarsnap/Makefile                                     1.10-1.11
- sysutils/tarsnap/distinfo                                     1.6-1.7

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri Aug 21 14:43:17 UTC 2015

   Modified Files:
   	pkgsrc/sysutils/tarsnap: Makefile distinfo

   Log message:
   Update to 1.0.36:

   1. SECURITY FIX: When constructing paths of objects being archived, a buffer
   could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte
   paths. Theoretically this could be exploited by an unprivileged user whose
   files are being archived; I do not believe it is exploitable in practice,
   but I am offering a $1000 bounty for the first person who can prove me wrong:
   http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html

   2. SECURITY FIX: An attacker with a machine's write keys, or with read keys
   and control of the tarsnap service, could make tarsnap allocate a large
   amount of memory upon listing archives or reading an archive the attacker
   created; on 32-bit machines, tarsnap can be caused to crash under the
   aforementioned conditions.

   3. BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails.

   4. BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when
   running on a dual-stack network if the first IP stack it attempts fails to
   connect.

   5. tarsnap now avoids opening devices nodes on linux if it is instructed to
   archive /dev/.  This change may prevent "watchdog"-triggered reboots.

   6. tarsnap -c --dry-run can now run without a keyfile, allowing users to
   predict how much Tarsnap will cost before signing up.

   7. tarsnap now has bash completion scripts.

   8. tarsnap now takes a --retry-forever option.

   9. tarsnap now automatically detects and uses AESNI and SSE2.

   As usual, there are also many minor build fixes, harmless bug fixes, and code
   refactoring / cleanup changes.  For a full listing of changes, consult the
   tarsnap git repository: https://github.com/Tarsnap/tarsnap

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri Aug 21 18:03:22 UTC 2015

   Modified Files:
   	pkgsrc/sysutils/tarsnap: Makefile distinfo

   Log message:
   Update to 1.0.36.1:
   OS X lacks the POSIX-mandated clock_gettime function, and tarsnap is
   not using libcperciva's "support broken operating systems" compatibility
   mechanism yet.  Add -DPOSIXFAIL_CLOCK_REALTIME to the build.