[Bug 8411] tar: directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

bugzilla at busybox.net bugzilla at busybox.net
Wed Apr 26 07:54:53 UTC 2017


https://bugs.busybox.net/show_bug.cgi?id=8411

--- Comment #14 from Andrej Valek <andrej.valek at siemens.com> ---
(In reply to Chris Lamb (lamby) from comment #10)
> Patch for busybox 1.22.0 v5
There is an missing closing brackets in if condition.
>if ((!strncmp(file_header->link_target, "/", 1))
> || ((!strcmp(file_header->link_target, ".."))
> || (strstr(file_header->link_target, "../"))) {
should be
if ((!strncmp(file_header->link_target, "/", 1))
 || ((!strcmp(file_header->link_target, ".."))
 || (strstr(file_header->link_target, "../")))) {

Changes have not been included in release yet.
Last change of the patch was on "2015-11-09 23:29 UTC" and currently the latest
release is "10 January 2017 -- BusyBox 1.26.2 (stable)". 

My question is, if the changes are not so necessary to be upstreamed?

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list