Full Disclosure mailing list archives
[CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321) - patch update
From: Harry Sintonen <fulldisclosure () kyber fi>
Date: Sun, 30 Oct 2016 03:03:07 +0200 (EET)
Update on the advisory: As pointed out by several people, the ERROR macro did't fail the operation in a desired way: Files were still being created by tar. In order to really stop tar from doing silly things, FATAL_ERROR macro needs to be used instead. The patch has now been updated accordingly.Updated Advisory: https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt
Updated Patch: https://sintonen.fi/advisories/tar-extract-pathname-bypass.patch NOTE: Ideas on how to make tar safely skip such entries instead of failing the whole operating are welcome. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321) Harry Sintonen (Oct 26)
- [CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321) - patch update Harry Sintonen (Oct 30)