Subject: bin/18759: pax/tar dot-dot handling broken
To: None <>
From: None <>
List: netbsd-bugs
Date: 10/22/2002 11:05:18
>Number:         18759
>Category:       bin
>Synopsis:       pax/tar dot-dot handling broken
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 21 19:06:00 PDT 2002
>Originator:     FUKAUMI Naoki
>Release:        NetBSD 1.6I
System: NetBSD 1.6I NetBSD 1.6I (NFORCE) #0: Mon Oct 21 10:19:49 JST 2002 i386
Architecture: i386
Machine: i386
	pax/tar ignore filenames that contain `..' as a path component.
	(It's OK. Very secure.)

	And ignore symlinks that contain `..' in symlink target, too!
	(It's WRONG!, isn't it?)

	e.g.) cdrtools-1.10.tar.gz (pkgsrc/sysutils/cdrecord)
	lrwxrwxrwx joerg/bs          0 Jul 21 22:35 2000 cdrtools-1.10/inc/getfp.c -> ../lib/getfp.c
	This symlink is ignored. Of course, make package is always fail.

	See Description.
	I don't know. Please fix this bug ASAP!