Isn't is straightforward to extract the files from the tar archive in a
temporary area, and recreate the tar file with the command line
parameters that force it to use full directory paths?

On Wed, 2002-10-23 at 09:33, Alistair Crooks wrote:
> On Wed, Oct 23, 2002 at 12:15:21PM -0400, Thor Lancelot Simon wrote:
> > On Wed, Oct 23, 2002 at 12:05:39PM -0400, Greg A. Woods wrote:
> > > 
> > > I would say from my experience in using pax exclusively for well over a
> > > year now, and from what I read in that followup discussion, that the bug
> > > really must be fixed in pkg_create.
> > 
> > Okay, I'm going to shock and amaze you all by agreeing with Greg.  The
> > fact that binary packages contain tar files with upwards path components
> > (and thus require the use of insanely dangerous tar options to extract)
> > has always disturbed me greatly.  It also makes creating malicious
> > packages much easier -- you don't even have to _run_ the binaries in
> > them, just extract them.
> > 
> > Please don't revert security fixes to tar/pax just to avoid fixing
> > pkg_create.
> 
> And I will jump in and say that it is really pax's problem.  This is
> because (a) a lot of the distfiles that we use in pkgsrc come with
> symbolic links with ".." in them, so that we can't even extract the
> contents properly now - this has nothing to do with pkg_create - and
> (b) because we go to great lengths in pkg_create to make symbolic
> links relative to ${PREFIX} for binary packages.  You are now
> seriously suggesting that we can't make archives relative to a certain
> directory because tar or pax might extract over a file that's above
> ${PREFIX}?  I'd say that was a bug in pax and tar - they should be
> able to calculate the depth of directories, and handle it accordingly.
> 
> I realise this has nothing to do with pax itself - we'd be seeing the
> same problems right now with GNU tar.
> 
> Regards,
> Alistair
-- 
Seth Kurtzberg
M. I. S. Corp
480-661-1849
Pager 888-605-9296, or 6059296@skytel.com