1 Description: When extracting, skip ".." members (CVE-2016-6321)
2 Origin: upstream, http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
3 Bug-Debian: https://bugs.debian.org/842339
5 Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
6 Last-Update: 2016-10-30
8 src/extract.c | 8 ++++++++
9 2 files changed, 15 insertions(+), 1 deletion(-)
13 @@ -1629,12 +1629,20 @@ extract_archive (void)
17 + bool skip_dotdot_name;
19 fatal_exit_hook = extract_finish;
21 set_next_block_after (current_header);
23 + skip_dotdot_name = (!absolute_names_option
24 + && contains_dot_dot (current_stat_info.orig_file_name));
25 + if (skip_dotdot_name)
26 + ERROR ((0, 0, _("%s: Member name contains '..'"),
27 + quotearg_colon (current_stat_info.orig_file_name)));
29 if (!current_stat_info.file_name[0]
31 || (interactive_option
32 && !confirm ("extract", current_stat_info.file_name)))