On Thu, 12 Jul 2001, 3APA3A wrote: > GNU tar (all platforms): > > tar below 1.13.19 including latest releases has no any ".." or > absolute path protection. Tar development team was contacted. They > replied they're aware of problem and current development version > 1.13.19 implements some kind of protection but it doesn't work for > most cases due to bug in coding. Exploitation scenario was passed > back to development team. I hope it will work then 1.13.19 will be > finally released. See attached patch (tar-1.13.19.patch). 1.13.19 > sources can be obtained from ftp://alpha.gnu.org/gnu/tar/ Please note that in a unix-like environment, one can also put a symlink pointing "outside" into the archive and make tar follow that symlink later. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 13:52:50 PDT