Re: path traversal in tar extract in intel cve-bin-tool

[lists () notatla org uk]

> But the custom filter wouldn't be sound even with the typo fixed, 
> because str.startswith() and Path.resolve() are wrong tools for the job.

> Anyway, I suspect that cve-bin-tool's extractors for other file formats 
> are still vulnerable to path traversal, so I wouldn't recommend running 
> it against untrusted files.


`We must first agree that software security is not security
software', writes Gary McGraw in the first chapter ..


http://swsec.com/press/ra-ieeesp.php