Full Disclosure mailing list archives

Re: GNU tar directory traversal

From: virus () nolog org
Date: Wed, 22 Nov 2006 10:52:12 +0100

Hello,

Siim Põder wrote:

So, for example, I make a tar archieve that contains a symlink to
'bla'->'/etc' and 'bla/passwd', that - if opened by root - would
overwrite the passwd file.


right from the man page: A confirmation is needed if -w is used.

Discussing wether root should ever run tar is irrelevant.


Agreed, the discussion whether root should *run* tar or not is 
irrelevant. One shouldn't *trust* tar files from unknown/untrusted 
sources, root or not.

GTi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

GNU tar directory traversal Teemu Salmela (Nov 21)
- <Possible follow-ups>
- Re: GNU tar directory traversal Jeb Osama (Nov 21)
  - Re: GNU tar directory traversal Gouki (Nov 21)
  - Re: GNU tar directory traversal Teemu Salmela (Nov 22)
  - Re: GNU tar directory traversal Siim Põder (Nov 22)
    - Re: GNU tar directory traversal Teemu Salmela (Nov 22)
    - Re: GNU tar directory traversal virus (Nov 22)
    - Re: GNU tar directory traversal Siim Põder (Nov 22)
    - Re: GNU tar directory traversal virus (Nov 22)
    - Re: GNU tar directory traversal Siim Põder (Nov 22)
    - Re: GNU tar directory traversal virus (Nov 23)
    - Re: GNU tar directory traversal virus (Nov 23)
- Re: GNU tar directory traversal Jeb Osama (Nov 22)