Date: Tue, 01 Oct 2002 16:31:39 -0600 From: Brett Glass <brett@lariat.org> To: "f.johan.beisser" <jan@caustic.org> Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <4.3.2.7.2.20021001162821.036c0530@localhost> In-Reply-To: <20021001151050.F67581-100000@pogo.caustic.org> References: <4.3.2.7.2.20021001160301.034597f0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 04:21 PM 10/1/2002, f.johan.beisser wrote: >if you're untarring something, shouldn't you review what you're looking at >first anyway? Most people look at what's being untarred as it happens. They don't expect upward directory traversal to be possible, so they don't anticipate being hit in the way that this bug allows. Also, even if one does list the contents of a large archive (say, a complete distribution of Apache), you'd need to list it slowly and read it critically. Even a really long file name will scroll by FAST during a listing and could be missed. Let's preserve the intended function of the program and also abide by the POLA. I'm sure that this will get fixed sometime soon, but what I'd *really* like is to see a quick patch in time for 4.7. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20021001162821.036c0530>