Version in base suite: 1.14-2.3
Version in overlay suite: 1.14-2.4

Base version: tar_1.14-2.3
Target version: tar_1.14-2.4
Base file: /org/ftp.debian.org/ftp/pool/main/t/tar/tar_1.14-2.3.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/t/tar/tar_1.14-2.4.dsc

diff -u tar-1.14/debian/changelog tar-1.14/debian/changelog
--- tar-1.14/debian/changelog
+++ tar-1.14/debian/changelog
@@ -1,3 +1,14 @@
+tar (1.14-2.4) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Apply patch from Dmitry V. Levin <ldv@owl.openwall.com> to avoid a
+    stack-based buffer overflow while processing certain file names
+    (CVE-2007-4476).  Closes: #441444.
+  * Apply patch from Dmitry V. Levin to fix double-dot recognition
+    in case of duplicate / (CVE-2007-4131).  Closes: #439335.
+
+ -- Florian Weimer <fw@deneb.enyo.de>  Wed, 26 Dec 2007 12:19:01 +0100
+
 tar (1.14-2.3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- tar-1.14.orig/src/names.c
+++ tar-1.14/src/names.c
@@ -954,15 +954,27 @@
   return strcmp (name1, name2) == 0;
 }
 
-/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
-   copy of STRING to TABLE and return 1.  */
+/* Return zero if TABLE contains a LEN-character long prefix of STRING,
+   otherwise, insert a newly allocated copy of this prefix to TABLE and
+   return 1.  If RETURN_PREFIX is not NULL, point it to the allocated
+   copy. */
 static bool
-hash_string_insert (Hash_table **table, char const *string)
+hash_string_insert_prefix (Hash_table **table, char const *string, size_t len,
+                          const char **return_prefix)
 {
   Hash_table *t = *table;
-  char *s = xstrdup (string);
+  char *s;
   char *e;
 
+  if (len)
+    {
+      s = xmalloc (len + 1);
+      memcpy (s, string, len);
+      s[len] = 0;
+    }
+  else
+    s = xstrdup (string);
+
   if (! ((t
 	  || (*table = t = hash_initialize (0, 0, hash_string_hasher,
 					    hash_string_compare, 0)))
@@ -970,7 +982,11 @@
     xalloc_die ();
 
   if (e == s)
-    return 1;
+    {
+      if (return_prefix)
+       *return_prefix = s;
+      return 1;
+    }
   else
     {
       free (s);
@@ -978,6 +994,14 @@
     }
 }
 
+/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
+   copy of STRING to TABLE and return 1.  */
+bool
+hash_string_insert (Hash_table **table, char const *string)
+{
+  return hash_string_insert_prefix (table, string, 0, NULL);
+}
+
 /* Return 1 if TABLE contains STRING.  */
 static bool
 hash_string_lookup (Hash_table const *table, char const *string)
@@ -1042,11 +1066,9 @@
       if (prefix_len)
 	{
 	  static Hash_table *prefix_table[2];
-	  char *prefix = alloca (prefix_len + 1);
-	  memcpy (prefix, file_name, prefix_len);
-	  prefix[prefix_len] = '\0';
-
-	  if (hash_string_insert (&prefix_table[link_target], prefix))
+          const char *prefix;
+          if (hash_string_insert_prefix (&prefix_table[link_target], file_name,
+                                         prefix_len, &prefix))
 	    {
 	      static char const *const diagnostic[] =
 	      {
@@ -1112,11 +1134,10 @@
       if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
 	return 1;
 
-      do
+      while (! ISSLASH (*p))
 	{
 	  if (! *p++)
 	    return 0;
 	}
-      while (! ISSLASH (*p));
     }
 }