X-Git-Url: https://git.gag.com/?p=debian%2Ftar;a=blobdiff_plain;f=debian%2Fpatches%2FWhen-extracting-skip-.-members.patch;fp=debian%2Fpatches%2FWhen-extracting-skip-.-members.patch;h=b624137047f78969744b9563286a5e1ffd8e7619;hp=0000000000000000000000000000000000000000;hb=1ff2f5cb0aa2b2098f6b22b8df395c6e0d12e23e;hpb=c4be0132e805fd4ce535a5cabb0169d1b5445896

diff --git a/debian/patches/When-extracting-skip-.-members.patch b/debian/patches/When-extracting-skip-.-members.patch
new file mode 100644
index 00000000..b6241370
--- /dev/null
+++ b/debian/patches/When-extracting-skip-.-members.patch
@@ -0,0 +1,33 @@
+Description: When extracting, skip ".." members (CVE-2016-6321)
+Origin: upstream,  http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
+Bug-Debian: https://bugs.debian.org/842339
+Forwarded: not-needed.
+Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Last-Update: 2016-10-30
+---
+ src/extract.c | 8 ++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {