It's possible to create symlinks to arbitrary locations on the filesystem within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in the FD post specified.
Also this has been verified by a Gentoo user here: http://sheepy.org/node/23
For all intents and purposes you can can s/rootdo/sudo/g in that report (He's got some crazy scripts seeing as he's a veteran Gentoo user :) I've also verified this exploit locally.
Base system please advise.
Proposed fix is here:
And upstream bug: https://savannah.gnu.org/bugs/index.php?18355
mhh this is evil, tricking somebody into extracting a tar file is easy.
*** Bug 156578 has been marked as a duplicate of this bug. ***
base-system, we are behind schedule, please bump!
cry me a river
1.16-r2 is in portage with the change that actually went into upstream cvs
arch teams, please test and stable 1.16-r2
And you, SPARC'd me all night long....
Stable for HPPA.
Stable on MIPS.
Argh, forgot Alpha. Alpha is stable too.
amd64 done, sorry for the delay.