Subject: Re: tar ignores filenames that contain `..'
To: Hisashi T Fujinaka <>
From: Greg A. Woods <>
List: tech-security
Date: 10/23/2002 12:42:34
[ On Wednesday, October 23, 2002 at 09:19:28 (-0700), Hisashi T Fujinaka wrote: ]
> Subject: Re: tar ignores filenames that contain `..'
> While I would agree with this, I wish there was a workaround for us
> non-netbsd-developers to use pkgsrc without installing directly from
> source.

I assume since you say "pkgsrc" that you mean you don't want to have to
install the NetBSD base system from source (since "pkgsrc" implies
you're installing all the packages from source).  Correct me if I'm

Indeed you shouldn't have to install NetBSD from source just to use
pkgsrc, even if you're using a -current snapshot.  However you may have
to install an updated pkgtools/pkg_install (when it becomes available :-).

Alternately you may be able to co-erce pkgsrc into using
/usr/pkg/bin/gtar, though as Jason has pointed out that'll require some
fiddling too if you've upgraded to the new GNU Tar which fixes the same
security problem....

> And I am agreeing with Thor without agreeing with Greg.

hey now!  that's not logically possible!  ;-)  (at least not in this case :-)

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>