diff -r 8017e8df6a30 Lib/tarfile.py
--- a/Lib/tarfile.py	Sun Mar 30 20:34:30 2014 -0400
+++ b/Lib/tarfile.py	Mon Mar 31 09:29:46 2014 +0200
@@ -1766,6 +1766,8 @@
         arcname = arcname.replace(os.sep, "/")
         arcname = arcname.lstrip("/")
 
+        arcname = self.skip_prefixes(arcname)
+
         # Now, fill the TarInfo object with
         # information specific for the file.
         tarinfo = self.tarinfo()
@@ -2065,6 +2067,9 @@
         """Extract the TarInfo object tarinfo to a physical
            file called targetpath.
         """
+
+        targetpath = self.skip_prefixes(targetpath)
+
         # Fetch the TarInfo object for the given name
         # and build the destination pathname, replacing
         # forward slashes to platform specific separators.
@@ -2366,6 +2371,23 @@
             if not self._extfileobj:
                 self.fileobj.close()
             self.closed = True
+
+    def skip_prefixes(self, name):
+        '''
+        Skip file system prefixes, leading file name components that
+        contain "..", and leading slashes.
+
+        This is used to prevent the directory traversal attack
+        http://lwn.net/Vulnerabilities/587141/
+        '''
+
+        origpath = name
+        prefixes = name.split("../")
+        fixed_name = prefixes[-1]
+        if len(prefixes) > 1:
+            self._dbg(0, "Removing leading `%s' from %s"
+                         % ("../".join(prefixes[0:-1]), origpath))
+        return fixed_name
 # class TarFile
 
 class TarIter: