Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/CVE-2015-0857.diff
Edit: gnutar instead of tar

Description: Fix local code execution when calling diff (CVE-2015-0857)
 Reported by Rainer Müller <raimue@codingfarm.de>. Implemented using
 Text::Diff instead of diff and backticks.
Author: Axel Beckert <abe@debian.org>
Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857

Index: tardiff
===================================================================
--- tardiff	2016-04-28 19:19:02.194646937 +0200
+++ tardiff	2016-04-28 19:36:41.253948109 +0200
@@ -6,6 +6,7 @@
 # Published under GNU GPL conditions
 
 use strict;
+use Text::Diff;
 
 my $VERSION = '0.1';
 
@@ -73,7 +74,12 @@
 		$flag = "-j";
 	}
 
-	my $list = `gnutar -C $tempdir $flag -xvf $tarball 2>/dev/null`;
+	open(TARLIST, '-|', qw(gnutar -C), $tempdir, $flag, qw(-xvf), $tarball)
+	    or die "Can't call tar as expected: $!";
+	local $/ = undef; # slurp mode
+	my $list = <TARLIST> or die "Couldn't read from tar";
+	close(TARLIST) or warn "tar exited with non-zero exit code";
+
 	return $list;
 }
 
@@ -116,7 +122,7 @@
 	if(-d $file1 and -d $file2){
 		return 0;
 	}elsif(-f $file1 and -f $file2){
-		my $diff = `diff $file1 $file2`;
+		my $diff = diff $file1, $file2, { STYLE => "OldStyle" };
 		if($diff){
 			if($opt_stats){
 				my $plus = 0;