new file mode 100644

@@ -0,0 +1,100 @@

+diff --git a/decode.c b/decode2.c

+index c16ea2d..2e290d1 100644

+--- a/lib/decode.c

+@@ -21,24 +21,54 @@

+ # include <string.h>

+ #endif

+ 

++char *

++safer_name_suffix (char const *file_name)

++{

++	char const *p, *t;

++	p = t = file_name;

++	while (*p)

++	{

++		if (p[0] == '.' && p[0] == p[1] && p[2] == '/')

++		{

++			p += 3;

++			t = p;

++		}

++		/* advance pointer past the next slash */

++		while (*p && (p++)[0] != '/');

++	}

++

++	if (!*t)

++	{

++		t = ".";

++	}

++

++	if (t != file_name)

++	{

++		/* TODO: warn somehow that the path was modified */

++	}

++	return (char*)t;

++}

+ 

+ /* determine full path name */

+ char *

+ th_get_pathname(TAR *t)

+ {

+ 	static TLS_THREAD char filename[MAXPATHLEN];

++	char *safer_name;

+ 

+ 	if (t->th_buf.gnu_longname)

+-		return t->th_buf.gnu_longname;

++		return safer_name_suffix(t->th_buf.gnu_longname);

++

++	safer_name = safer_name_suffix(t->th_buf.name);

+ 

+ 	if (t->th_buf.prefix[0] != '\0')

+ 	{

+ 		snprintf(filename, sizeof(filename), "%.155s/%.100s",

+-			 t->th_buf.prefix, t->th_buf.name);

++			 t->th_buf.prefix, safer_name);

+ 		return filename;

+ 	}

+ 

+-	snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name);

++	snprintf(filename, sizeof(filename), "%.100s", safer_name);

+ 	return filename;

+ }

+ 

+Index: libtar-1.2.16/lib/extract.c

+===================================================================

+--- libtar-1.2.16.orig/lib/extract.c	2013-12-09 14:11:03.212344872 +0100

+@@ -305,7 +305,7 @@ tar_extract_hardlink(TAR * t, char *real

+ 		linktgt = &lnp[strlen(lnp) + 1];

+ 	}

+ 	else

+-		linktgt = th_get_linkname(t);

++		linktgt = safer_name_suffix(th_get_linkname(t));

+ 

+ #ifdef DEBUG

+ 	printf("  ==> extracting: %s (link to %s)\n", filename, linktgt);

+@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna

+ 

+ #ifdef DEBUG

+ 	printf("  ==> extracting: %s (symlink to %s)\n",

+-	       filename, th_get_linkname(t));

++	       filename, safer_name_suffix(th_get_linkname(t)));

+ #endif

+-	if (symlink(th_get_linkname(t), filename) == -1)

++	if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)

+ 	{

+ #ifdef DEBUG

+ 		perror("symlink()");

+Index: libtar-1.2.16/lib/internal.h

+===================================================================

+--- libtar-1.2.16.orig/lib/internal.h	2012-05-17 09:34:32.000000000 +0200

+@@ -15,6 +15,7 @@

+ 

+ #include <libtar.h>

+ 

++char* safer_name_suffix(char const*);

+ #ifdef TLS

+ #define TLS_THREAD TLS

+ #else

+

@@ -1,7 +1,7 @@

 Summary:        C library for manipulating tar files

 Name:           libtar

 Version:        1.2.20

-Release:        4%{?dist}

+Release:        5%{?dist}

 URL:            https://github.com/tklauser/libtar/archive/v1.2.20.tar.gz

 License:        MIT

 Group:          System Environment/Libraries

@@ -10,6 +10,7 @@ Distribution:   Photon

 Source0:        libtar-%{version}.tar.gz

 %define         sha1 libtar=b3ec4058fa83448d6040ce9f9acf85eeec4530b1

 Patch0:         libtar-gen-debuginfo.patch

+patch1:         libtar-CVE-2013-4420.patch

 Provides:       libtar.so.0()(64bit)

 %description

@@ -27,6 +28,7 @@ developing applications that use libtar.

 %prep

 %setup

 %patch0

+%patch1 -p1

 autoreconf -iv

 %build

@@ -56,6 +58,8 @@ chmod +x %{buildroot}/%{_libdir}/libtar.so.*

 %{_libdir}/libtar.la

 %changelog

+*   Thu Nov 02 2017 Xiaolin Li <xiaolinl@vmware.com> 1.2.20-5

+-   Fix CVE-2013-4420

 *   Thu Jun 29 2017 Chang Lee <changlee@vmware.com> 1.2.20-4

 -   Removed %check due to no test existence.

 *   Tue Apr 25 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.20-3