[Bug 8411] Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

bugzilla at busybox.net bugzilla at busybox.net
Mon Nov 9 23:21:48 UTC 2015


https://bugs.busybox.net/show_bug.cgi?id=8411

--- Comment #7 from Tyler Hicks <tyhicks at canonical.com> 2015-11-09 23:21:47 UTC ---
(In reply to comment #6)
> Created attachment 6206 [details]
> Patch for busybox 1.22.0 v4
> 
> Oh, good catch.
> 
> Instead of matching ".." anywhere ("..foo" is totally valid after all!), I'm
> also now just matching on a literal ".."

Something odd happened with the patch that you attached. It is base64 encoded
and, while it does contain some changes, does not contain the change to match a
lateral ".." sequence.

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list