Subject: Re: tar ignores filenames that contain `..'
To: Frederick Bruckman <fredb@immanent.net>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 10/27/2002 20:19:40
[ On Sunday, October 27, 2002 at 18:25:44 (-0600), Frederick Bruckman wrote: ]
> Subject: Re: tar ignores filenames that contain `..'
>
> Considering that the *threat* is of a malicious archive being
> downloaded from the internet, what chance is there to exploit a race
> condition while the archive is being extracted?
It doesn't have to be a threat just of a malicious archive from some
unknown third party. Perhaps it was created by a disgruntled colleague,
or modified by some other attacker who's gained local access and is
looking for some way to elevate his privileges. Perhaps it was an
archive off the net, but maybe an insider has outside help to spoof the
local admin into pulling down the trojaned archive.
This problem really does need to be solved properly once and for all for
everyone everywhere, not just for pkgsrc users -- that's what this is
all about in the first place, just as the original advisory noted:
Probably, directory traversal is
most dangerous among this bugs, because it allows to craft archive
which will trojan system on extraction. This problem is known for
software developers, and newer archivers usually have some kind of
protection. But in some cases this protection is weak and can be
bypassed.
-- http://online.securityfocus.com/archive/1/196445
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>