On Mon, 12 Dec 2016 18:28:02 +0100
Pino Toscano <[email protected]> wrote:
> Very recent versions of tar (most probably as a consequence of
> CVE-2016-6321) may refuse archive members with '..', like the relative
> paths to upper level directories.
Well this should not concern us, I believe. The fix should only protect
when extracting tar archive from untrusted source. When you create a tar
archive using GNU tar it does automatically strip the leading '..' and
prints "tar: Removing leading `../' from member names". This has been
there since I can remember.
That being said, your patch definitely won't do any harm.
Tomas
--
Tomáš Golembiovský <[email protected]>
_______________________________________________
Libguestfs mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libguestfs
