Paul Eggert <egg...@cs.ucla.edu> writes: > How about the attached patches? They add a new option > --absolute-links, as I imagine the change to tar's default behavior > might cause trouble and the new option is a smaller hammer than > --absolute-names (-P). > > I haven't installed them. I'd like a bit more time to think about them > as this can be a tricky area.
These changes look good to me, thanks. Tested with the example given in the CVE report. > + struct stat st; > + if (fstatat (chdir_fd, name, &st, 0) < 0 > + || (dirid.ino == st.st_ino && dirid.dev == st.st_dev)) > + return true; Should this be SAME_INODE from gnulib, or does tar not use it? Collin
