Subject: Re: tar ignores filenames that contain `..'
To: NetBSD Packages Technical Discussion List <tech-pkg@NetBSD.ORG>
From: Thor Lancelot Simon <>
List: tech-security
Date: 10/23/2002 12:15:21
On Wed, Oct 23, 2002 at 12:05:39PM -0400, Greg A. Woods wrote:
> I would say from my experience in using pax exclusively for well over a
> year now, and from what I read in that followup discussion, that the bug
> really must be fixed in pkg_create.

Okay, I'm going to shock and amaze you all by agreeing with Greg.  The
fact that binary packages contain tar files with upwards path components
(and thus require the use of insanely dangerous tar options to extract)
has always disturbed me greatly.  It also makes creating malicious
packages much easier -- you don't even have to _run_ the binaries in
them, just extract them.

Please don't revert security fixes to tar/pax just to avoid fixing