pyrox.dev
tar: patch for CVE-2016-6321
https://lwn.net/Vulnerabilities/705216/
+35
pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
+35
pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
···
···
1
+
commit 7340f67b9860ea0531c1450e5aa261c50f67165d
2
+
Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
3
+
Date: Sat Oct 29 21:04:40 2016 -0700
4
+
5
+
When extracting, skip ".." members
6
+
7
+
* NEWS: Document this.
8
+
* src/extract.c (extract_archive): Skip members whose names
9
+
contain "..".
10
+
11
+
diff --git a/src/extract.c b/src/extract.c
12
+
index f982433..7904148 100644
13
+
--- a/src/extract.c
14
+
+++ b/src/extract.c
15
+
@@ -1629,12 +1629,20 @@ extract_archive (void)
16
+
{
17
+
char typeflag;
18
+
tar_extractor_t fun;
19
+
+ bool skip_dotdot_name;
20
+
21
+
fatal_exit_hook = extract_finish;
22
+
23
+
set_next_block_after (current_header);
24
+
25
+
+ skip_dotdot_name = (!absolute_names_option
26
+
+ && contains_dot_dot (current_stat_info.orig_file_name));
27
+
+ if (skip_dotdot_name)
28
+
+ ERROR ((0, 0, _("%s: Member name contains '..'"),
29
+
+ quotearg_colon (current_stat_info.orig_file_name)));
30
+
+
31
+
if (!current_stat_info.file_name[0]
32
+
+ || skip_dotdot_name
33
+
|| (interactive_option
34
+
&& !confirm ("extract", current_stat_info.file_name)))
35
+
{
+1
-1
pkgs/tools/archivers/gnutar/default.nix
+1
-1
pkgs/tools/archivers/gnutar/default.nix