From owner-freebsd-bugs Mon Nov 12 4:50:13 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 93BEF37B418 for ; Mon, 12 Nov 2001 04:50:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id fACCo1759295; Mon, 12 Nov 2001 04:50:01 -0800 (PST) (envelope-from gnats) Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id F40E537B416 for ; Mon, 12 Nov 2001 04:46:54 -0800 (PST) Received: (from root@localhost) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id fACCkhd26770 for freebsd-gnats-submit@freebsd.org; Mon, 12 Nov 2001 13:46:43 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Received: from lagoon.freebsd.lublin.pl (qmailr@lagoon.freebsd.lublin.pl [212.182.115.11]) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with SMTP id fACCkfF26762 for ; Mon, 12 Nov 2001 13:46:42 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 26757 invoked by uid 1001); 12 Nov 2001 12:46:41 -0000 Message-Id: <20011112124641.26756.qmail@lagoon.freebsd.lublin.pl> Date: 12 Nov 2001 12:46:41 -0000 From: Przemyslaw Frasunek Reply-To: Przemyslaw Frasunek To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: gnu/31929: GNU Tar shipped with FreeBSD handles relative paths Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31929 >Category: gnu >Synopsis: GNU Tar shipped with FreeBSD handles relative paths >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 12 04:50:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 4.4-STABLE i386 >Organization: czuby.net >Environment: System: FreeBSD lagoon.freebsd.lublin.pl 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Sep 15 12:00:15 CEST 2001 root@riget.scene.pl:/mnt/lagoon/usr/src/sys/compile/RIGET i386 >Description: FreeBSD ships old version of GNU Tar, which allows to overwrite any file in system, when unpacking archive. Additionally, Tar changes permissions of current directory to 0755, when unpacking malformed archive, containing ".". Both problems were fixed some time ago and most recent version of GNU Tar is secure. This problem can expose security risk for mail anti-virus scanners. >How-To-Repeat: First problem: riget:root:/tmp# touch /etc/test riget:root:/tmp# tar -cf test.tar ../../../../../../etc/test riget:root:/tmp# rm /etc/test riget:root:/tmp# tar -xf test.tar riget:root:/tmp# ls -la /etc/test -rw-r--r-- 1 root wheel 0 12 Lis 13:43 /etc/test Second problem: riget:root:/tmp/dupa# tar -cvf test.tar . ./ tar: test.tar is the archive; not dumped riget:root:/tmp/dupa# chmod 700 . riget:root:/tmp/dupa# tar -xf test.tar riget:root:/tmp/dupa# ls -ld . drwxr-xr-x 2 root wheel 512 12 Lis 13:44 . >Fix: Upgrade GNU Tar from base system to most recent version. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message