Control: tags -1 + patch
(dropping the bug-tar list, since this reply only relevant within
Debian).
Hi Paul,
On Sat, Oct 29, 2016 at 09:19:09PM -0700, Paul Eggert wrote:
> Thanks for the heads-up. Yes, it appears the 2003 change was not
> sufficiently paranoid about ".." in member names. Luckily
Processing control commands:
> tags -1 + patch
Bug #842339 [tar] tar: CVE-2016-6321: Bypassing the extract path name
Added tag(s) patch.
--
842339: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Thanks for the heads-up. Yes, it appears the 2003 change was not sufficiently
paranoid about ".." in member names. Luckily, the tar manual still documents the
pre-2003 behavior, so we can restore that behavior as a simple bug fix. I
installed the attached patch into Savannah as one way to do tha
3 matches
Mail list logo
