Little flaw in GNUtar processing name header records containing '../'

[Sticky Bit]

Hi,

I discoverd, that tar (testet with GNU tar1.13 on Linux and GNU tar 1.12 on
Windows) doesn't strip off any '../' contained in the name header record
field (and sure the lname field also) but just directly gives this path to
the system. I can hardly image for what a relativ path containing '../'
could be useful for in a tar-file and why tar doesn't strip it, it does the
same with leading '/' (and this for a good reason I guess!), I guess just no
one did imagine spoofed tar-files since now and so didn't see any meaning in
checking for '../' in the name field. So I assume that this behaviour is
just a little flaw. OK one should know what ones doing but I guess only few
people will be suspicous (a 'tar -t' would be the first weapon of choice of
course but with large archive it's easy to miss exactly the entry wich is
the harmful...) extracting a tar-file, but a "good-spoofed" one an especialy
the circumstance that one is often going to install new software when
extracting tar-files and is therefor logged in as some kind of super user
might cause serious damage to the machine. However I think you should look
into this issue, and maybe solve this like the removing of the leading '/',
strip '../' off by default and only allow it when a special switch was set,
my suggestion. I'm sorry, I can't send you any patches, as I think I'm not
good enough in C to corect this properly, it would be bad "patch-work" done
by me.
I attched a spoofed tar file that demonstrates the problem. Extracted with
'tar -xf' it will create a textfile named 'dotdot.txt' with a little message
just one directory up of the current work directory, feel free to test it.
Please tell me ASAP what you plan to do about this. I'm planing to publish
at least some little advisory about this, as it seems to be a problem of
several other package utilitys i. e. WinZip or WinRAR on the Windows
platform too and I'm not willing to test all of them and mail the vendors,
however developers, well everybody should have a chance to become aware of
this. I would be glad if I could tell people to about your solution on this.

Greetings

Florian "sticky_bit" Schafferhans

dotdot.tar
Description: Unix tar archive