Date: Tue, 01 Oct 2002 11:35:03 -0600 From: Brett Glass <brett@lariat.org> To: "Aaron Namba" <aaron@namba1.com>, <security@FreeBSD.ORG> Subject: RE: Is FreeBSD's tar susceptible to this? Message-ID: <4.3.2.7.2.20021001113225.034331b0@localhost> In-Reply-To: <AGEPIAHMBGINOAKELHMPMEOCDOAA.aaron@namba1.com> References: <4.3.2.7.2.20021001104558.00d3f900@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:15 AM 10/1/2002, Aaron Namba wrote: >It would appear so. > >59 > sh tartest >/../../../../../../..//tmp/foo/bar >/../../../../../../..//tmp/foo/bar >/usr/bin/tar: Removing leading `/' from member names >Your tar is vulnerable Unfortunately, GNU tar has become so pervasive that even OpenBSD (which avoids GNU software) uses it. Gotta break this dependency upon GPLed code. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20021001113225.034331b0>