From owner-freebsd-security  Tue Oct  1 16: 7:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3164137B401
	for <security@FreeBSD.ORG>; Tue,  1 Oct 2002 16:07:43 -0700 (PDT)
Received: from pogo.caustic.org (caustic.org [64.163.147.186])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E24EE43E6A
	for <security@FreeBSD.ORG>; Tue,  1 Oct 2002 16:07:42 -0700 (PDT)
	(envelope-from jan@caustic.org)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91N7Vd92103;
	Tue, 1 Oct 2002 16:07:31 -0700 (PDT)
	(envelope-from jan@caustic.org)
Date: Tue, 1 Oct 2002 16:07:31 -0700 (PDT)
From: "f.johan.beisser" <jan@caustic.org>
To: Don Lewis <dl-freebsd@catspoiler.org>
Cc: brett@lariat.org, <kris@obsecurity.org>,
	<dillon@apollo.backplane.com>, <piechota@argolis.org>,
	<aaron@namba1.com>, <security@FreeBSD.ORG>
Subject: Re: RE: Is FreeBSD's tar susceptible to this?
In-Reply-To: <200210012254.g91MsFvU014326@gw.catspoiler.org>
Message-ID: <20021001155652.S67581-100000@pogo.caustic.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 1 Oct 2002, Don Lewis wrote:

> What if the tarball installs a symlink to / under the current directory
> followed by files that are unpacked underneath the symlink name?  A
> simple fix for the initial problem mentioned in this thread isn't
> sufficient.

i don't believe that tar(1) will allow you to do that by default.

i know for a fact that OpenBSD won't do it by default, you have to specify
that you want it to follow symlinks:

     -L Follow all symlinks.  In extract mode this means that a di-
        rectory entry in the archive will not overwrite an existing
        symbolic link, but rather what the link ultimately points
        to.

> This is hardly a new problem.  Here's a 1998 BUGTRAQ message:

and, i believe that's been addressed aswell. should have been, considering
it's 4 years old now.

-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message