Date: Wed, 2 Oct 2002 18:55:26 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: "f.johan.beisser" <jan@caustic.org> Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021002155526.GA1669@hades.hell.gr> In-Reply-To: <20021001154626.M67581-100000@pogo.caustic.org> References: <4.3.2.7.2.20021001162821.036c0530@localhost> <20021001154626.M67581-100000@pogo.caustic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-10-01 15:56, "f.johan.beisser" <jan@caustic.org> wrote: > On Tue, 1 Oct 2002, Brett Glass wrote: > > Also, even if one does list the contents of a large archive (say, > > a complete distribution of Apache), you'd need to list it slowly > > and read it critically. Even a really long file name will scroll > > by FAST during a listing and could be missed. > > "tar tvf <filename> | [more || less]" doesn't seem that hard to me. A quick way of checking existing tarballs for upwards directory traversal is also: $ tar tvf tarball.tar | fgrep '..' $ This shouldn't print anything. If it does, be very cautious about untarring `tarball.tar'. Agreed, this isn't a "fix". But at least you can find out about nasty things before they have any chance to happen and become nastier. Giorgos. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021002155526.GA1669>