On Thu, 12 Jul 2001, 3APA3A wrote:
> GNU tar (all platforms):
>
> tar below 1.13.19 including latest releases has no any ".." or
> absolute path protection. Tar development team was contacted. They
> replied they're aware of problem and current development version
> 1.13.19 implements some kind of protection but it doesn't work for
> most cases due to bug in coding. Exploitation scenario was passed
> back to development team. I hope it will work then 1.13.19 will be
> finally released. See attached patch (tar-1.13.19.patch). 1.13.19
> sources can be obtained from ftp://alpha.gnu.org/gnu/tar/
Please note that in a unix-like environment, one can also put a symlink
pointing "outside" into the archive and make tar follow that symlink
later.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
