Subject: Re: tar ignores filenames that contain `..'
To: Jason R Thorpe <thorpej@wasabisystems.com>
From: Frederick Bruckman <fredb@immanent.net>
List: tech-pkg
Date: 10/23/2002 10:24:03
On Wed, 23 Oct 2002, Jason R Thorpe wrote:

> On Wed, Oct 23, 2002 at 09:25:03AM -0500, Frederick Bruckman wrote:
>
>  > This "pax" bug^H^H^Hfeature also breaks binary packages (PR bin/18759).
>  > It needs to be fixed in "pax".
>
> I seem to recall that this is what the GNU tar security issue was all
> about...

I see. So I guess the battle's already over, so "pkgsrc/mk" needs to
use "pax --insecure" everywhere that "tar" was used, and "pkg_create"
and "pkg_add" need to implement the old "tar" format in C?

For what it's worth, old NetBSD 1.6 "pax" has an interesting "forward
compatibility" twist, when used to create archives, in that it sees
"--insecure" as a non-existent filename and only warns (by virtue of
not understanding long options), rather than balking as it would with
a non-supported short option, but that doesn't help at all for
extracting archives.

Frederick