From owner-freebsd-security  Wed Oct  2 10:29:10 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A67FC37B404
	for <security@FreeBSD.ORG>; Wed,  2 Oct 2002 10:29:08 -0700 (PDT)
Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EBE2D43E65
	for <security@FreeBSD.ORG>; Wed,  2 Oct 2002 10:29:05 -0700 (PDT)
	(envelope-from never@mile.nevermind.kiev.ua)
Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1])
	by mile.nevermind.kiev.ua (8.12.6/8.12.6) with ESMTP id g92HR4mO027573;
	Wed, 2 Oct 2002 20:27:05 +0300 (EEST)
	(envelope-from never@mile.nevermind.kiev.ua)
Received: (from never@localhost)
	by mile.nevermind.kiev.ua (8.12.6/8.12.6/Submit) id g92HR4lk027572;
	Wed, 2 Oct 2002 20:27:04 +0300 (EEST)
Date: Wed, 2 Oct 2002 20:27:04 +0300
From: Alexandr Kovalenko <never@nevermind.kiev.ua>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc: "f.johan.beisser" <jan@caustic.org>,
	Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?)
Message-ID: <20021002172704.GA27421@nevermind.kiev.ua>
References: <4.3.2.7.2.20021001162821.036c0530@localhost> <20021001154626.M67581-100000@pogo.caustic.org> <20021002155526.GA1669@hades.hell.gr>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20021002155526.GA1669@hades.hell.gr>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello, Giorgos Keramidas!

On Wed, Oct 02, 2002 at 06:55:26PM +0300, you wrote:

> > "tar tvf <filename> | [more || less]" doesn't seem that hard to me.
> A quick way of checking existing tarballs for upwards directory
> traversal is also:
> 
> 	$ tar tvf tarball.tar | fgrep '..'
err, this doesn't seem correct to me. I thing that 'file..name' is a
correct filename. Yes. It is not commonly used but it could be.

-- 
NEVE-RIPE
Ukrainian FreeBSD User Group
http://uafug.org.ua/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message