tisdagen den 10 december 2013 16.27.32 skrev du: > CVE-2013-4420[0]: > tar_extract_glob and tar_extract_all path prefix directory traversal > > Attached is a proposed patch that makes libtar work similarly to tar.
The first "if" should be a "while", shouldn't it? Otherwise we'll only skip over the first "../" if file_name starts with "../../", if I'm not mistaken. -- Magnus Holmgren holmg...@debian.org Debian Developer
signature.asc
Description: This is a digitally signed message part.