Re: [Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar
On Mon, 12 Dec 2016 18:28:02 +0100
Pino Toscano <ptoscano(a)redhat.com> wrote:
Very recent versions of tar (most probably as a consequence of
CVE-2016-6321) may refuse archive members with '..', like the relative
paths to upper level directories.
Well this should not concern us, I believe. The fix should only protect
when extracting tar archive from untrusted source. When you create a tar
archive using GNU tar it does automatically strip the leading '..' and
prints "tar: Removing leading `../' from member names". This has been
there since I can remember.
That being said, your patch definitely won't do any harm.
Tomas
--
Tomáš Golembiovský <tgolembi(a)redhat.com>