The vulnerability goes basically like this: If you tar a file named "../../../../../etc/passwd" and then make the admin untar it, /etc/passwd gets overwritten. Another variety of this bug is a symlink one: if tar contains files like: ./aaaa-directory -> /etc ./aaaa-directory/passwd then the "aaaa-directory" symlink would be created first and /etc/passwd will be overwritten once again.
I must admit I fail to see the bug. If root untars a file, and that tar file contains an instruction to overwrite /etc/passwd, why is an error to execute that instruction? Shouldn't root just be more careful when untaring files?
if tarinfo.name.startswith('../'): self.extract(tarinfo, path) else: warnings.warn("non-local file skipped: %s" % tarinfo.name, RuntimeWarning, stacklevel=1)
Ok. You seem to be claiming that the tarfile is incorrect in some sense. Can you please point to some spec that says this is an incorrect tarfile? In any case, if you fix what you consider broken, you should do it exactly the same way as GNU tar does it (assuming you consider GNU tar fixed). Regards, Martin