Subject: Re: tar ignores filenames that contain `..'
To: Frederick Bruckman <fredb@immanent.net>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 10/27/2002 20:19:40
[ On Sunday, October 27, 2002 at 18:25:44 (-0600), Frederick Bruckman wrote: ]
> Subject: Re: tar ignores filenames that contain `..'
>
> Considering that the *threat* is of a malicious archive being
> downloaded from the internet, what chance is there to exploit a race
> condition while the archive is being extracted?

It doesn't have to be a threat just of a malicious archive from some
unknown third party.  Perhaps it was created by a disgruntled colleague,
or modified by some other attacker who's gained local access and is
looking for some way to elevate his privileges.  Perhaps it was an
archive off the net, but maybe an insider has outside help to spoof the
local admin into pulling down the trojaned archive.

This problem really does need to be solved properly once and for all for
everyone everywhere, not just for pkgsrc users -- that's what this is
all about in the first place, just as the original advisory noted:

          Probably, directory traversal is    
      most  dangerous  among  this  bugs, because it allows to craft archive    
      which  will  trojan  system  on  extraction. This problem is known for    
      software  developers,  and  newer  archivers usually have some kind of    
      protection.  But  in  some  cases  this  protection is weak and can be    
      bypassed. 

	-- http://online.securityfocus.com/archive/1/196445

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>