Harry Sintonen discovered that GNU tar does not properly handle member names containing "..", thus allowing an attacker to bypass the path names specified on the command line and replace files and directories in the target directory.