Date: Mon, 3 Feb 2003 03:40:20 +0000 (GMT) From: William Palfreman <william@palfreman.com> To: questions@freebsd.org Subject: Tar bug, mentioned in 4.7 UPDATING Message-ID: <20030203030500.C66893@ndhn.yna.cnyserzna.pbz>
next in thread | raw e-mail | index | archive | help
Hi. I was comparing the /usr/src/UPDATING file on RELENG_4_5,
4_6 and 4_7, and I noticed that there is a fix for a tar bug in
the 4.7 pX releases, but not in 4.6.2-pX and 4.5-pX.
4.5: (also 4.6.2 p3)
20021023: p21 FreeBSD-SA-02:40.kadmind
Correct kadmind buffer overflow.
4.7:
20021023: p1 FreeBSD-SA-02:40.kadmind
Correct bug in the tar(1) contains_dot_dot function allowing
files to be extracted outside the intended directory tree.
Correct kadmind buffer overflow.
Do I need to update this manually for my < 4.7 systems? I see there was
a bit of discussion on the security list at the time, but I can't see
much more about it.
I don't see why it can be worth fixing for 4.7 and not for anything
else, given how widely used the tar utility is. I don't particularly
mind fixing it myself, but it seems odd that this is a critical fix in
one release and a feature in others. Is anyone likely to be using this
as a feature in earlier releases?
Bill.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030203030500.C66893>