Date: Tue, 01 Oct 2002 16:08:46 -0600 From: Brett Glass <brett@lariat.org> To: Kris Kennaway <kris@obsecurity.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Matt Piechota <piechota@argolis.org>, Aaron Namba <aaron@namba1.com>, security@FreeBSD.ORG Subject: Re: RE: Is FreeBSD's tar susceptible to this? Message-ID: <4.3.2.7.2.20021001160301.034597f0@localhost> In-Reply-To: <20021001213251.GA54642@xor.obsecurity.org> References: <4.3.2.7.2.20021001133156.03609ec0@localhost> <4.3.2.7.2.20021001113225.034331b0@localhost> <4.3.2.7.2.20021001122135.0344e410@localhost> <4.3.2.7.2.20021001133156.03609ec0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:32 PM 10/1/2002, Kris Kennaway wrote: >Discussions of licensing and reimplementation of GNU utilities are >off-topic for security. However, I encourage you to continue this >discussion in another forum. For example, NetBSD's pax(1) code has a >half-implemented GNU tar compatibility mode which could be extended to >cover most of the common GNU tar options. Yes, it does have most of the features of GNU tar. About the only thing it's missing is bzip2 capability, which is easy to add. Complete code to translate the command line options would be dull work but not technically challenging at all. (It could even be done by a Perl front end, though it'd be better to reduce it to C.) In the meantime, though, is there a chance that a fix for the vulnerability can be slipped into 4.7 prior to release? I'd hate to be exploding a tarball, as root, and discover that it had upreferenced to the top of the directory tree and installed something nasty. (If such an exploit were to hit /etc/crontab, it could run arbitrary code in a minute or less -- probably before the admin could react.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20021001160301.034597f0>