I've pushed code to forbid symlinks with ".." components. That's the best we can do for now I believe. Implementing path traversal in user space, making sure it is used everywhere, and making it reasonably fast and portable seems too much in short term.
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
