rpm/tar
SHA256
1
0
Fork 0
forked from pool/tar
Code Pull Requests Activity
885805a010
tar/tar-1.29-extract_pathname_bypass.patch
Marcus Meissner 885805a010 Accepting request 439571 from home:kstreitova:branches:Base:System 
- add tar-1.29-extract_pathname_bypass.patch to fix POINTYFEATHER
  vulnerability - GNU tar archiver can be tricked into extracting 
  files and directories in the given destination, regardless of the 
  path name(s) specified on the command line [bsc#1007188] 
  [CVE-2016-6321]

OBS-URL: https://build.opensuse.org/request/show/439571
OBS-URL: https://build.opensuse.org/package/show/Base:System/tar?expand=0&rev=73
2016-11-10 22:20:00 +00:00

30 lines
795 B
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Index: lib/paxnames.c
===================================================================
--- lib/paxnames.c.orig
+++ lib/paxnames.c
@@ -18,6 +18,7 @@
#include <system.h>
#include <hash.h>
#include <paxlib.h>
+#include <quotearg.h>
/* Hash tables of strings. */
@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
for (p = file_name + prefix_len; *p; )
{
if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
- prefix_len = p + 2 - file_name;
+ {
+ static char const *const diagnostic[] =
+ {
+ N_("%s: Member name contains '..'"),
+ N_("%s: Hard link target contains '..'")
+ };
+ FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
+ quotearg_colon (file_name)));
+ }
do
{
View Git Blame Copy Permalink