From owner-freebsd-security Wed Oct 2 8:56:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64ECB37B695 for ; Wed, 2 Oct 2002 08:56:31 -0700 (PDT) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CCDF43E77 for ; Wed, 2 Oct 2002 08:56:11 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-b196.otenet.gr [212.205.244.204]) by mailsrv.otenet.gr (8.12.4/8.12.4) with ESMTP id g92FtYdY006655; Wed, 2 Oct 2002 18:55:47 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.6/8.12.6) with ESMTP id g92FtWmM001819; Wed, 2 Oct 2002 18:55:32 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by hades.hell.gr (8.12.6/8.12.6/Submit) id g92FtQD4001814; Wed, 2 Oct 2002 18:55:26 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 2 Oct 2002 18:55:26 +0300 From: Giorgos Keramidas To: "f.johan.beisser" Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021002155526.GA1669@hades.hell.gr> References: <4.3.2.7.2.20021001162821.036c0530@localhost> <20021001154626.M67581-100000@pogo.caustic.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021001154626.M67581-100000@pogo.caustic.org> X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-10-01 15:56, "f.johan.beisser" wrote: > On Tue, 1 Oct 2002, Brett Glass wrote: > > Also, even if one does list the contents of a large archive (say, > > a complete distribution of Apache), you'd need to list it slowly > > and read it critically. Even a really long file name will scroll > > by FAST during a listing and could be missed. > > "tar tvf | [more || less]" doesn't seem that hard to me. A quick way of checking existing tarballs for upwards directory traversal is also: $ tar tvf tarball.tar | fgrep '..' $ This shouldn't print anything. If it does, be very cautious about untarring `tarball.tar'. Agreed, this isn't a "fix". But at least you can find out about nasty things before they have any chance to happen and become nastier. Giorgos. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message