CVSROOT: /cvs Module name: src Changes by: mill...@cvs.openbsd.org 2019/05/27 09:11:01
Modified files:
usr.bin/compress: main.c
Log message:
For "gunzip -N", only use the basename of the stored path.
Fixes a directory traversal bug when the stored name includes a
directory component. Both GNU gzip and our gzip store the basename
of the path when compressing but a malicious .gz file could contain
an arbitrary path. Problem found by elvis alien. OK deraadt@
