[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] rmt filename support make tar vulnerable?
From: |
Bdale Garbee |
Subject: |
[Bug-tar] rmt filename support make tar vulnerable? |
Date: |
Mon, 04 Feb 2019 09:22:04 -0700 |
Back in January of 2005, Joey Hess pointed out in a bug report against
Debian's package of tar that's actually an enhancement request, and as I
clean up my open bug list in preparation for the next Debian release I
realized we never passed it along.
The concern expressed is that tar is vulnerable to potential phishing
attacks because the rmt support doesn't require a slash after the colon,
and thus what's intended to be used for a path name could in theory be
used to enable a network exploit. More details in the bug log at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=290435
I have to admit that I can't remember the last time I actually used the
rmt support... today it seems so much more obvious to pipe things over
an ssh connection, etc?
Any thoughts on whether to take any action on this now, and if so, what,
would be appreciated.
Regards,
Bdale
signature.asc
Description: PGP signature
- [Bug-tar] rmt filename support make tar vulnerable?,
Bdale Garbee <=