Subject: CVS commit: [pkgsrc-2015Q2] pkgsrc/sysutils/tarsnap
From: Matthias Scheler
Date: 2015-08-24 21:10:30
Message id: 20150824191030.1523D98@cvs.netbsd.org

Log Message:
Pullup ticket #4797 - requested by wiz
sysutils/tarsnap: security update

Revisions pulled up:
- sysutils/tarsnap/Makefile                                     1.10-1.11
- sysutils/tarsnap/distinfo                                     1.6-1.7

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri Aug 21 14:43:17 UTC 2015

   Modified Files:
   	pkgsrc/sysutils/tarsnap: Makefile distinfo

   Log Message:
   Update to 1.0.36:

   1. SECURITY FIX: When constructing paths of objects being archived, a buffer
   could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte
   paths. Theoretically this could be exploited by an unprivileged user whose
   files are being archived; I do not believe it is exploitable in practice,
   but I am offering a $1000 bounty for the first person who can prove me wrong:
   http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html

   2. SECURITY FIX: An attacker with a machine's write keys, or with read keys
   and control of the tarsnap service, could make tarsnap allocate a large
   amount of memory upon listing archives or reading an archive the attacker
   created; on 32-bit machines, tarsnap can be caused to crash under the
   aforementioned conditions.

   3. BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails.

   4. BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when
   running on a dual-stack network if the first IP stack it attempts fails to
   connect.

   5. tarsnap now avoids opening devices nodes on linux if it is instructed to
   archive /dev/.  This change may prevent "watchdog"-triggered reboots.

   6. tarsnap -c --dry-run can now run without a keyfile, allowing users to
   predict how much Tarsnap will cost before signing up.

   7. tarsnap now has bash completion scripts.

   8. tarsnap now takes a --retry-forever option.

   9. tarsnap now automatically detects and uses AESNI and SSE2.

   As usual, there are also many minor build fixes, harmless bug fixes, and code
   refactoring / cleanup changes.  For a full listing of changes, consult the
   tarsnap git repository: https://github.com/Tarsnap/tarsnap

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri Aug 21 18:03:22 UTC 2015

   Modified Files:
   	pkgsrc/sysutils/tarsnap: Makefile distinfo

   Log Message:
   Update to 1.0.36.1:
   OS X lacks the POSIX-mandated clock_gettime function, and tarsnap is
   not using libcperciva's "support broken operating systems" compatibility
   mechanism yet.  Add -DPOSIXFAIL_CLOCK_REALTIME to the build.

Files:
RevisionActionfile
1.9.8.1modifypkgsrc/sysutils/tarsnap/Makefile
1.5.10.1modifypkgsrc/sysutils/tarsnap/distinfo