From owner-freebsd-security Tue Oct 1 10:35:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0124637B401 for ; Tue, 1 Oct 2002 10:35:31 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEFE643E77 for ; Tue, 1 Oct 2002 10:35:29 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA19133; Tue, 1 Oct 2002 11:35:07 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001113225.034331b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 11:35:03 -0600 To: "Aaron Namba" , From: Brett Glass Subject: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: References: <4.3.2.7.2.20021001104558.00d3f900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:15 AM 10/1/2002, Aaron Namba wrote: >It would appear so. > >59 > sh tartest >/../../../../../../..//tmp/foo/bar >/../../../../../../..//tmp/foo/bar >/usr/bin/tar: Removing leading `/' from member names >Your tar is vulnerable Unfortunately, GNU tar has become so pervasive that even OpenBSD (which avoids GNU software) uses it. Gotta break this dependency upon GPLed code. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message