CVE-2016-6321: GNU tar path traversal via --strip-components applied after safer_name_suffix

GNU tar (release_1_29) allows writing files outside the extraction directory when using --strip-components. The bug is in decode_xform() in src/list.c (lines 77-110): safer_name_suffix() is called FIRST to neutralize path traversal, then strip_name_components removes N leading path components. Since safer_name_suffix only strips leading .. sequences, a crafted archive member like prefix/../../../etc/passwd passes the check (leading component is prefix/, not ..), then after strip-components removes prefix, the result is ../../etc/passwd — a traversal path that is never re-validated. No contains_dot_dot check is applied to regular file names after component stripping in prepare_to_extract().