Upstream: https://sources.debian.net/src/tar/1.29b-1.1/debian/patches/When-extracting-skip-.-members.patch/
Security: CVE-2016-6321

Description: When extracting, skip ".." members (CVE-2016-6321)
Origin: upstream,  http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
Bug-Debian: https://bugs.debian.org/842339
Forwarded: not-needed.
Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
Last-Update: 2016-10-30
---
 src/extract.c | 8 ++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

--- a/src/extract.c
+++ b/src/extract.c
@@ -1629,12 +1629,20 @@ extract_archive (void)
 {
   char typeflag;
   tar_extractor_t fun;
+  bool skip_dotdot_name;
 
   fatal_exit_hook = extract_finish;
 
   set_next_block_after (current_header);
 
+  skip_dotdot_name = (!absolute_names_option
+		      && contains_dot_dot (current_stat_info.orig_file_name));
+  if (skip_dotdot_name)
+    ERROR ((0, 0, _("%s: Member name contains '..'"),
+	    quotearg_colon (current_stat_info.orig_file_name)));
+
   if (!current_stat_info.file_name[0]
+      || skip_dotdot_name
       || (interactive_option
 	  && !confirm ("extract", current_stat_info.file_name)))
     {