projects / debian / tar / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Import Debian changes 1.29b-1.1
[debian/tar] / debian / patches / When-extracting-skip-.-members.patch
1 Description: When extracting, skip ".." members (CVE-2016-6321)
2 Origin: upstream,  http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
3 Bug-Debian: https://bugs.debian.org/842339
4 Forwarded: not-needed.
5 Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
6 Last-Update: 2016-10-30
7 ---
8  src/extract.c | 8 ++++++++
9  2 files changed, 15 insertions(+), 1 deletion(-)
10
11 --- a/src/extract.c
12 +++ b/src/extract.c
13 @@ -1629,12 +1629,20 @@ extract_archive (void)
14  {
15    char typeflag;
16    tar_extractor_t fun;
17 +  bool skip_dotdot_name;
18  
19    fatal_exit_hook = extract_finish;
20  
21    set_next_block_after (current_header);
22  
23 +  skip_dotdot_name = (!absolute_names_option
24 +                     && contains_dot_dot (current_stat_info.orig_file_name));
25 +  if (skip_dotdot_name)
26 +    ERROR ((0, 0, _("%s: Member name contains '..'"),
27 +           quotearg_colon (current_stat_info.orig_file_name)));
28 +
29    if (!current_stat_info.file_name[0]
30 +      || skip_dotdot_name
31        || (interactive_option
32           && !confirm ("extract", current_stat_info.file_name)))
33      {
Debian packaging of tar