netbsd-bugs: bin/18759: pax/tar dot-dot handling broken

Subject: bin/18759: pax/tar dot-dot handling broken
To: None <gnats-bugs@gnats.netbsd.org>
From: None <naoki@fukaumi.org>
List: netbsd-bugs
Date: 10/22/2002 11:05:18

>Number:         18759
>Category:       bin
>Synopsis:       pax/tar dot-dot handling broken
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 21 19:06:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     FUKAUMI Naoki
>Release:        NetBSD 1.6I
>Organization:
	FUKAUMI Naoki
>Environment:
System: NetBSD nforce.naobsd.org 1.6I NetBSD 1.6I (NFORCE) #0: Mon Oct 21 10:19:49 JST 2002 fun@nforce.naobsd.org:/usr/obj/i386/sys/arch/i386/compile/NFORCE i386
Architecture: i386
Machine: i386
>Description:
	pax/tar ignore filenames that contain `..' as a path component.
	(It's OK. Very secure.)

	And ignore symlinks that contain `..' in symlink target, too!
	(It's WRONG!, isn't it?)

	e.g.) cdrtools-1.10.tar.gz (pkgsrc/sysutils/cdrecord)
	  :
	lrwxrwxrwx joerg/bs          0 Jul 21 22:35 2000 cdrtools-1.10/inc/getfp.c -> ../lib/getfp.c
	  :
	This symlink is ignored. Of course, make package is always fail.

>How-To-Repeat:
	See Description.
>Fix:
	I don't know. Please fix this bug ASAP!
>Release-Note:
>Audit-Trail:
>Unformatted: