On Sat, 5 Jul 2003, Toru TAKAMIZU wrote:

> I'm reluctant to raise this matter, but I think I have to.
>
> netbsd-1-6 branch has GNU tar 1.11.2, which is known to have
> a security issue.

I agree that this should be fixed.

I think this is my PR security/18578 which I send-pr'd on 07/Oct/2002.
(Arbitrary files can be overwritten during archive extraction.)

http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=18578

I had a lot of discussion with a few developers (most not using gnats and
most off-list). I provided patches, links to patches and discussion,
tested patches, tested simple exploits, etc.

The pkgsrc was updated and my PR was closed in January and was told that
pax-as-tar works.

I had wrote myself a note to follow-up on this to make sure that official
1.6.x was fixed too[1]. (I don't personally care about 1.5.x anymore,
because it has other security issues that are coming to hard to fix.)

   Jeremy C. Reed
   http://bsd.reedmedia.net/

p.s. I sell binary updates for security issues. I wanted to provide an
official fix to my customers.