I stumbled across this bug. Paul writes: > And more fundamentally, dpkg-dev should never extract or follow > symlinks that point outside the source package. That includes all > absolute ones and any relative ones with too many .. in their link > target. Even if dpkg-source doesn't write to them during unpack, > they could have some other impact on the user's system if they > access them thinking that since Debian source packages are > self-contained they should be safe.
I agree with this. Raphaƫl writes: > dpkg-source delegates extraction to tar. It can't easily cherry-pick > what to extract... It could search the tree for bad links after extraction but before exiting status 0. Or we could request that tar grow an option like rsync's --safe-links. Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
