Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/CVE-2015-0857.diff Edit: gnutar instead of tar Description: Fix local code execution when calling diff (CVE-2015-0857) Reported by Rainer Müller . Implemented using Text::Diff instead of diff and backticks. Author: Axel Beckert Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857 Index: tardiff =================================================================== --- tardiff 2016-04-28 19:19:02.194646937 +0200 +++ tardiff 2016-04-28 19:36:41.253948109 +0200 @@ -6,6 +6,7 @@ # Published under GNU GPL conditions use strict; +use Text::Diff; my $VERSION = '0.1'; @@ -73,7 +74,12 @@ $flag = "-j"; } - my $list = `gnutar -C $tempdir $flag -xvf $tarball 2>/dev/null`; + open(TARLIST, '-|', qw(gnutar -C), $tempdir, $flag, qw(-xvf), $tarball) + or die "Can't call tar as expected: $!"; + local $/ = undef; # slurp mode + my $list = or die "Couldn't read from tar"; + close(TARLIST) or warn "tar exited with non-zero exit code"; + return $list; } @@ -116,7 +122,7 @@ if(-d $file1 and -d $file2){ return 0; }elsif(-f $file1 and -f $file2){ - my $diff = `diff $file1 $file2`; + my $diff = diff $file1, $file2, { STYLE => "OldStyle" }; if($diff){ if($opt_stats){ my $plus = 0;