Subject: gnu-tar (and unzip) vulnerabilities
To: None <>
From: Jeremy C. Reed <>
List: tech-security
Date: 10/07/2002 14:10:44
There have been some vulnerabilities with gnu-tar (and unzip)
where arbitrary files can be overwritten during archive extraction.

The regular official FSF/GNU mirrors don't have recent tar, but a new
version is at (and GNU alpha (not the
hardware) mirrors).

I also read that tar-1.13.25 version has issues too which Red Hat fixed.

There source is at

(It looks like the archivers/unzip is already up-to-date.)

I send-pr'd this so it can be kept track of for gnu-tar.

As far as I know, all uses of tar files in the default install and with
build tools can be done with pax. A couple other operating systems happily
use a pax (or a wrapper) instead of GNU tar. I am guessing that pax is
better than any other public domain or BSD version of tar.

   Jeremy C. Reed