diff --git a/clamav-devel/ChangeLog b/clamav-devel/ChangeLog
index dd4fbf033..d10662d5b 100644
--- a/clamav-devel/ChangeLog
+++ b/clamav-devel/ChangeLog
@@ -1,3 +1,9 @@
+Mon Jun 13 11:49:04 CEST 2005 (tk)
+----------------------------------
+  * libclamav/cvd.c: fix potential directory traversal in cvd unpacker (a low
+		     risk problem since all databases are digitally signed).
+		     Pointed out by Florian Weimer <fw*deneb.enyo.de>
+
 Sun Jun 12 11:24:59 CEST 2005 (tk)
 ----------------------------------
   * clamscan: improve output handling
diff --git a/clamav-devel/libclamav/cvd.c b/clamav-devel/libclamav/cvd.c
index 45a4c1bc8..c28c62a82 100644
--- a/clamav-devel/libclamav/cvd.c
+++ b/clamav-devel/libclamav/cvd.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2003 - 2004 Tomasz Kojm <tkojm@clamav.net>
+ *  Copyright (C) 2003 - 2005 Tomasz Kojm <tkojm@clamav.net>
  *
  *  untgz() is based on public domain minitar utility by Charles G. Waldman
  *
@@ -54,7 +54,6 @@ int cli_untgz(int fd, const char *destdir)
 	return -1;
     }
 
-
     fullname = (char *) calloc(sizeof(char), strlen(destdir) + 100 + 5);
 
     while(1) {
@@ -77,6 +76,14 @@ int cli_untgz(int fd, const char *destdir)
 
 	    strncpy(name, block, 100);
 	    name[100] = '\0';
+
+	    if(strchr(name, '/')) {
+		cli_errmsg("Slash separators are not allowed in CVD.\n");
+		free(fullname);
+	        gzclose(infile);
+		return -1;
+	    }
+
 	    strcpy(fullname, destdir);
 	    strcat(fullname, "/");
 	    strcat(fullname, name);