It's possible to create symlinks to arbitrary locations on the filesystem within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in the FD post specified. Also this has been verified by a Gentoo user here: http://sheepy.org/node/23 For all intents and purposes you can can s/rootdo/sudo/g in that report (He's got some crazy scripts seeing as he's a veteran Gentoo user :) I've also verified this exploit locally.
Base system please advise.
Proposed fix is here: https://savannah.gnu.org/bugs/download.php?file_id=11327
And upstream bug: https://savannah.gnu.org/bugs/index.php?18355
mhh this is evil, tricking somebody into extracting a tar file is easy. please bump
*** Bug 156578 has been marked as a duplicate of this bug. ***
base-system, we are behind schedule, please bump!
cry me a river 1.16-r2 is in portage with the change that actually went into upstream cvs
arch teams, please test and stable 1.16-r2
x86 done
ppc stable
And you, SPARC'd me all night long....
Stable for HPPA.
ppc64 stable
Stable on MIPS.
Argh, forgot Alpha. Alpha is stable too.
amd64 done, sorry for the delay.
GLSA 200612-10 thanks everyone