From ${URL}: strip and objcopy don't filter out .. components from paths inside archive. Consider an archive created with the following command: $ printf '!<arch>\n%-48s%-10d`\n../file\n%-48s%-10s`\n' '//' 8 '/0' 0 > test.a then runnig strip/objcopy on it will unlink ./file (e.g. unlink("stq0g2tL/../st4Mtgu4/../file") ). Consider this: $ printf '!<arch>\n%-48s%-10d`\n../../file\n\n%-48s%-10s`\n' '//' 12 '/0' 0 > test.a then runnig strip/objcopy on it will unlink ../../file (e.g. unlink("staOxyFW/../../st4KIqLm/../../file") ). See also https://sourceware.org/bugzilla/show_bug.cgi?id=17533#c4 . ## See also http://seclists.org/oss-sec/2014/q4/583 : Directory traversal vulnerability allowing random files deleteion/creation Upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=17552 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Out-of-bounds memory write while processing a crafted "ar" archive Upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=17533 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0d867169d7e9743d229804106a8fbcab7f3b3 ##
*** This bug has been marked as a duplicate of bug 526626 ***
