Date: Tue, 1 Oct 2002 16:07:31 -0700 (PDT) From: "f.johan.beisser" <jan@caustic.org> To: Don Lewis <dl-freebsd@catspoiler.org> Cc: brett@lariat.org, <kris@obsecurity.org>, <dillon@apollo.backplane.com>, <piechota@argolis.org>, <aaron@namba1.com>, <security@FreeBSD.ORG> Subject: Re: RE: Is FreeBSD's tar susceptible to this? Message-ID: <20021001155652.S67581-100000@pogo.caustic.org> In-Reply-To: <200210012254.g91MsFvU014326@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Oct 2002, Don Lewis wrote:
> What if the tarball installs a symlink to / under the current directory
> followed by files that are unpacked underneath the symlink name? A
> simple fix for the initial problem mentioned in this thread isn't
> sufficient.
i don't believe that tar(1) will allow you to do that by default.
i know for a fact that OpenBSD won't do it by default, you have to specify
that you want it to follow symlinks:
-L Follow all symlinks. In extract mode this means that a di-
rectory entry in the archive will not overwrite an existing
symbolic link, but rather what the link ultimately points
to.
> This is hardly a new problem. Here's a 1998 BUGTRAQ message:
and, i believe that's been addressed aswell. should have been, considering
it's 4 years old now.
-------/ f. johan beisser /--------------------------------------+
http://caustic.org/~jan jan@caustic.org
"John Ashcroft is really just the reanimated corpse
of J. Edgar Hoover." -- Tim Triche
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021001155652.S67581-100000>