[Libguestfs] [PATCH] v2v: tests: avoid '..' in member names for tar
Tomáš Golembiovský
tgolembi at redhat.com
Mon Dec 12 23:02:56 UTC 2016
On Mon, 12 Dec 2016 18:28:02 +0100
Pino Toscano <ptoscano at redhat.com> wrote:
> Very recent versions of tar (most probably as a consequence of
> CVE-2016-6321) may refuse archive members with '..', like the relative
> paths to upper level directories.
Well this should not concern us, I believe. The fix should only protect
when extracting tar archive from untrusted source. When you create a tar
archive using GNU tar it does automatically strip the leading '..' and
prints "tar: Removing leading `../' from member names". This has been
there since I can remember.
That being said, your patch definitely won't do any harm.
Tomas
--
Tomáš Golembiovský <tgolembi at redhat.com>
More information about the Libguestfs
mailing list