Subject: Re: tar ignores filenames that contain `..'
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Frederick Bruckman <fredb@immanent.net>
List: tech-pkg
Date: 10/23/2002 11:35:27
On Wed, 23 Oct 2002, Thor Lancelot Simon wrote:

> On Wed, Oct 23, 2002 at 12:05:39PM -0400, Greg A. Woods wrote:
> >
> > I would say from my experience in using pax exclusively for well over a
> > year now, and from what I read in that followup discussion, that the bug
> > really must be fixed in pkg_create.
>
> Okay, I'm going to shock and amaze you all by agreeing with Greg.  The
> fact that binary packages contain tar files with upwards path components
> (and thus require the use of insanely dangerous tar options to extract)
> has always disturbed me greatly.  It also makes creating malicious
> packages much easier -- you don't even have to _run_ the binaries in
> them, just extract them.
>
> Please don't revert security fixes to tar/pax just to avoid fixing
> pkg_create.

Yes, I see. I'd forgotten that that was the whole focus of the
security fix. My bad.

Would it be acceptable, security-wise, to permit relative links in the
archive (slash-package) with some constraints, like making sure
leading directories are not symlinks, and counting them to make sure
that that any "../"'s don't break out of the extracted heirarchy? Or
are relative links so evil, that we have to change the way we support
building to ${DESTDIR}?

Frederick