Subject: Re: tar ignores filenames that contain `..'
To: Thor Lancelot Simon <email@example.com>
From: Hisashi T Fujinaka <firstname.lastname@example.org>
Date: 10/23/2002 09:19:28
While I would agree with this, I wish there was a workaround for us
non-netbsd-developers to use pkgsrc without installing directly from
And I am agreeing with Thor without agreeing with Greg.
On Wed, 23 Oct 2002, Thor Lancelot Simon wrote:
> On Wed, Oct 23, 2002 at 12:05:39PM -0400, Greg A. Woods wrote:
> > I would say from my experience in using pax exclusively for well over a
> > year now, and from what I read in that followup discussion, that the bug
> > really must be fixed in pkg_create.
> Okay, I'm going to shock and amaze you all by agreeing with Greg. The
> fact that binary packages contain tar files with upwards path components
> (and thus require the use of insanely dangerous tar options to extract)
> has always disturbed me greatly. It also makes creating malicious
> packages much easier -- you don't even have to _run_ the binaries in
> them, just extract them.
> Please don't revert security fixes to tar/pax just to avoid fixing
Hisashi T Fujinaka - email@example.com
BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte