Date: Tue, 1 Oct 2002 16:30:37 -0700 (PDT) From: Don Lewis <dl-freebsd@catspoiler.org> To: jan@caustic.org Cc: brett@lariat.org, kris@obsecurity.org, dillon@apollo.backplane.com, piechota@argolis.org, aaron@namba1.com, security@FreeBSD.ORG Subject: Re: RE: Is FreeBSD's tar susceptible to this? Message-ID: <200210012330.g91NUbvU014409@gw.catspoiler.org> In-Reply-To: <20021001155652.S67581-100000@pogo.caustic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 Oct, f.johan.beisser wrote: > On Tue, 1 Oct 2002, Don Lewis wrote: > >> What if the tarball installs a symlink to / under the current directory >> followed by files that are unpacked underneath the symlink name? A >> simple fix for the initial problem mentioned in this thread isn't >> sufficient. > > i don't believe that tar(1) will allow you to do that by default. I don't have an easy way of creating a malicious tarball to do this all in one shot, but it does look like our tar follows symlinks. > mkdir foo > touch foo/bar > tar cvf foo.tar foo/bar foo/bar > rm -r foo > mkdir baz > ln -s baz foo > tar xvf foo.tar foo/bar > ls -l baz total 0 -rw-r--r-- 1 dl dl 0 Oct 1 16:17 bar > i know for a fact that OpenBSD won't do it by default, you have to specify > that you want it to follow symlinks: > > -L Follow all symlinks. In extract mode this means that a di- > rectory entry in the archive will not overwrite an existing > symbolic link, but rather what the link ultimately points > to. Our -L option does something entirely different, which is odd since I got the impression from the comments made in this thread that both FreeBSD and OpenBSD are both using gtar. I also don't think the -L option described above (or the lack of it's use) does anything to help the problem. If there is a symbolic link named "foo" in the filesystem and the tarball contains a directory named "foo", then it sounds like the symlink will be removed and replaced with a directory if the "-L" option is not used, and the directory will be created at the target of the symlink if the "-L" option is used. It doesn't seem to say anything about what is done if there is no "foo" directory in the tarball, but the tarball contains a "foo/bar" file. The only safe way of preventing symlinks from being followed would be to lstat() each component of each path name in the tarball (which is still not safe if there is a hostile process running that could substitute a symlink for something that has already been checked). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210012330.g91NUbvU014409>