CVE-2016-6321: GNU tar path traversal via --strip-components

GNU tar (≤1.29) path traversal during extraction. decode_xform() in src/list.c applies safer_name_suffix() BEFORE stripped_prefix_len(). safer_name_suffix only sanitizes leading path prefixes (leading '/' or leading '../'); it does not remove embedded '..' components. After strip_name_components removes legitimate leading components, internal '../' segments are exposed, yielding paths like '../../etc/passwd' that escape the extraction directory. extract_archive does NOT re-validate file_name with contains_dot_dot() after the strip (though it does check link targets in extract_link extract.c:1318 and extract_symlink extract.c:1381).