Directory traversal vulnerability was discovered in GNU tar. Vulnerability can be exploited by specially crafted tar archive to overwrite arbitrary file writable by user running tar. Problem occurs in contains_dot_dot function, which does not properly check names of directory symlinks. Acknowledgements: Red Hat would like to thank Dmitry V. Levin for reporting this issue.
Created attachment 161175 [details] contains_dot_dot patch Patch by Dmitry V. Levin used by Owl.
Patch is in upstream cvs, embargo removed.
This issue did not affect tar packages as distributed with Red Hat Enterprise Linux 2.1 or 3.
Issue fixed on all supported platforms, closing Security Response bug.