Subject: gnu-tar (and unzip) vulnerabilities
To: None <firstname.lastname@example.org>
From: Jeremy C. Reed <email@example.com>
Date: 10/07/2002 14:10:44
There have been some vulnerabilities with gnu-tar (and unzip)
where arbitrary files can be overwritten during archive extraction.
The regular official FSF/GNU mirrors don't have recent tar, but a new
version is at ftp://alpha.gnu.org/gnu/tar/ (and GNU alpha (not the
I also read that tar-1.13.25 version has issues too which Red Hat fixed.
There source is at
(It looks like the archivers/unzip is already up-to-date.)
I send-pr'd this so it can be kept track of for gnu-tar.
As far as I know, all uses of tar files in the default install and with
build tools can be done with pax. A couple other operating systems happily
use a pax (or a wrapper) instead of GNU tar. I am guessing that pax is
better than any other public domain or BSD version of tar.
Jeremy C. Reed