From owner-freebsd-audit@FreeBSD.ORG  Fri Jul 16 04:45:36 2004
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
Delivered-To: freebsd-audit@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DA4FC16A4CE; Fri, 16 Jul 2004 04:45:36 +0000 (GMT)
Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4B8FA43D49; Fri, 16 Jul 2004 04:45:34 +0000 (GMT)
	(envelope-from scottl@samsco.org)
Received: from [192.168.0.11] (junior-wifi.samsco.home [192.168.0.11])
	(authenticated bits=0)
	by pooker.samsco.org (8.12.11/8.12.10) with ESMTP id i6G4pB1g039598;
	Thu, 15 Jul 2004 22:51:11 -0600 (MDT)
	(envelope-from scottl@samsco.org)
Message-ID: <40F75D68.80400@samsco.org>
Date: Thu, 15 Jul 2004 22:45:28 -0600
From: Scott Long <scottl@samsco.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040702
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Tim Kientzle <tim@kientzle.com>
References: <DF07AEAE-CCE8-11D8-9FE1-00039312D914@fillmore-labs.com>
	<40E8275B.1090008@kientzle.com>
In-Reply-To: <40E8275B.1090008@kientzle.com>
X-Enigmail-Version: 0.84.2.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=3.8 tests=none autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on pooker.samsco.org
cc: re@freebsd.org
cc: audit@freebsd.org
Subject: Re: RFC: bsdtar in 5.3
X-BeenThere: freebsd-audit@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: FreeBSD Security Audit <freebsd-audit.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-audit>
List-Post: <mailto:freebsd-audit@freebsd.org>
List-Help: <mailto:freebsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2004 04:45:37 -0000

Tim Kientzle wrote:
> Oliver Eikemeier wrote:
> 
>>
>> Are there any plans to do an security audit of bsdtar? This may be an 
>> important issue, since tar is often used running as root to unpack 
>> downloaded archives.
> 
> 
> This is an excellent idea.  Obviously,
> someone other than me should lead this:
> any volunteers?
> 
> Tim
> 

Where are we on this?

Scott

From owner-freebsd-audit@FreeBSD.ORG  Fri Jul 16 08:20:48 2004
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
Delivered-To: freebsd-audit@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0CE4A16A4CE; Fri, 16 Jul 2004 08:20:48 +0000 (GMT)
Received: from frodo.otenet.gr (frodo.otenet.gr [195.170.0.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 40BE343D41; Fri, 16 Jul 2004 08:20:47 +0000 (GMT)
	(envelope-from keramida@freebsd.org)
Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr
	[62.103.39.226])
	by frodo.otenet.gr (8.12.10/8.12.10) with SMTP id i6G8Ka3E007536;
	Fri, 16 Jul 2004 11:20:40 +0300
Received: from orion.daedalusnetworks.priv (orion [127.0.0.1])
	i6G8MxKD006741;	Fri, 16 Jul 2004 11:22:59 +0300 (EEST)
	(envelope-from keramida@freebsd.org)
Received: (from keramida@localhost)i6G8MxEO006740;
	Fri, 16 Jul 2004 11:22:59 +0300 (EEST)
	(envelope-from keramida@freebsd.org)
Date: Fri, 16 Jul 2004 11:22:59 +0300
From: Giorgos Keramidas <keramida@freebsd.org>
To: Scott Long <scottl@samsco.org>
Message-ID: <20040716082259.GC6353@orion.daedalusnetworks.priv>
References: <DF07AEAE-CCE8-11D8-9FE1-00039312D914@fillmore-labs.com>
	<40E8275B.1090008@kientzle.com> <40F75D68.80400@samsco.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40F75D68.80400@samsco.org>
cc: Tim Kientzle <tim@kientzle.com>
cc: re@freebsd.org
cc: audit@freebsd.org
Subject: Re: RFC: bsdtar in 5.3
X-BeenThere: freebsd-audit@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: FreeBSD Security Audit <freebsd-audit.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-audit>
List-Post: <mailto:freebsd-audit@freebsd.org>
List-Help: <mailto:freebsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2004 08:20:48 -0000

On 2004-07-15 22:45, Scott Long <scottl@samsco.org> wrote:
>Tim Kientzle wrote:
>>Oliver Eikemeier wrote:
>>>Are there any plans to do an security audit of bsdtar? This may be
>>>an important issue, since tar is often used running as root to
>>>unpack downloaded archives.
>>
>>This is an excellent idea.  Obviously, someone other than me should
>>lead this: any volunteers?
>
> Where are we on this?

I thought of replying positively to Tim's initial post but not as a
"leader" figure of any sort.  If I could help by researching about test
scenarios, designing some and/or running them I'd be glad to assist in
any way I can though.

Giorgos