Paul Eggert <egg...@cs.ucla.edu> writes:

> How about the attached patches? They add a new option
> --absolute-links, as I imagine the change to tar's default behavior
> might cause trouble and the new option is a smaller hammer than
> --absolute-names (-P).
>
> I haven't installed them. I'd like a bit more time to think about them
> as this can be a tricky area.

These changes look good to me, thanks. Tested with the example given in
the CVE report.

> +      struct stat st;
> +      if (fstatat (chdir_fd, name, &st, 0) < 0
> +       || (dirid.ino == st.st_ino && dirid.dev == st.st_dev))
> +     return true;

Should this be SAME_INODE from gnulib, or does tar not use it?

Collin

Reply via email to