oss-sec mailing list archives
Re: Directory traversals in cpio and friends?
From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 9 Jan 2015 21:18:29 +0100
* Alexander Cherepanov <cherepan () mccme ru>, 2015-01-08, 02:43:
The results of tests of tar and cpio archives against various commands follow. '=' means that the corresponding file is not extracted, 'x' means that it is extracted. IMHO secure configuration should list three '=', insecure configuration should list three 'x', everything else is inconsistent. The list created by the attached scripts.=== tar === abs rel link cmd = = = tar -x x x x tar -x -P = = = bsdtar -x x x x bsdtar -x -P = x x paxtar -x x x x paxtar -x -P x x x pax -r
Let me add: = = x star -x = = = star -x -secure-links x x x star -x -/ -.. (tested with star 1.5.3) -- Jakub Wilk
Current thread:
- Directory traversals in cpio and friends? Alexander Cherepanov (Jan 07)
- Re: Directory traversals in cpio and friends? Florian Weimer (Jan 08)
- Re: Directory traversals in cpio and friends? Alexander Cherepanov (Jan 10)
- Re: Directory traversals in cpio and friends? Jakub Wilk (Jan 09)
- Re: Directory traversals in cpio and friends? Florian Weimer (Jan 08)