Re: [Bug-tar] possible fixes for CVE-2016-6321

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-tar] possible fixes for CVE-2016-6321

From:	Paul Eggert
Subject:	Re: [Bug-tar] possible fixes for CVE-2016-6321
Date:	Sat, 29 Oct 2016 21:19:09 -0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0

Thanks for the heads-up. Yes, it appears the 2003 change was not sufficientlyparanoid about ".." in member names. Luckily, the tar manual still documents thepre-2003 behavior, so we can restore that behavior as a simple bug fix. Iinstalled the attached patch into Savannah as one way to do that. This patchcauses 'tar' to issue two diagnostics when given a member name containing "..",and I suppose tar should be cleaned up at some point to issue just onediagnostic. The main thing, though, is that the patch is simple and fixes thesecurity gotcha in question.

I don't view this as a serious bug, as the tar manual has long said that youshould extract untrusted tarballs only into empty directories, and doing thatforestalls the attack even without this patch. (There are other reasons for thislongstanding recommendation.)

0001-When-extracting-skip-.-members.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] possible fixes for CVE-2016-6321, Antoine Beaupré, 2016/10/29
- Re: [Bug-tar] possible fixes for CVE-2016-6321, Paul Eggert <=
  - Re: [Bug-tar] Bug#842339: possible fixes for CVE-2016-6321, Salvatore Bonaccorso, 2016/10/30

Prev by Date: [Bug-tar] Doc: Example not updated for "--[no-]recursion" change
Next by Date: [Bug-tar] buildbot success in OpenCSW Buildbot on gtar-solaris10-i386
Previous by thread: [Bug-tar] possible fixes for CVE-2016-6321
Next by thread: Re: [Bug-tar] Bug#842339: possible fixes for CVE-2016-6321
Index(es):
- Date
- Thread