[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-tar] Bug#842339: possible fixes for CVE-2016-6321
From: |
Salvatore Bonaccorso |
Subject: |
Re: [Bug-tar] Bug#842339: possible fixes for CVE-2016-6321 |
Date: |
Sun, 30 Oct 2016 08:07:14 +0100 |
User-agent: |
NeoMutt/20161014 (1.7.1) |
Control: tags -1 + patch
(dropping the bug-tar list, since this reply only relevant within
Debian).
Hi Paul,
On Sat, Oct 29, 2016 at 09:19:09PM -0700, Paul Eggert wrote:
> Thanks for the heads-up. Yes, it appears the 2003 change was not
> sufficiently paranoid about ".." in member names. Luckily, the tar manual
> still documents the pre-2003 behavior, so we can restore that behavior as a
> simple bug fix. I installed the attached patch into Savannah as one way to
> do that. This patch causes 'tar' to issue two diagnostics when given a
> member name containing "..", and I suppose tar should be cleaned up at some
> point to issue just one diagnostic. The main thing, though, is that the
> patch is simple and fixes the security gotcha in question.
>
> I don't view this as a serious bug, as the tar manual has long said that you
> should extract untrusted tarballs only into empty directories, and doing
> that forestalls the attack even without this patch. (There are other reasons
> for this longstanding recommendation.)
Thanks for the patch!
For reference, attached would be the debdiff for a possible unstable
and jessie-security upload.
Regards,
Salvatore
tar_1.27.1-2+deb8u1.debdiff
Description: Text document
tar_1.29b-1.1.debdiff
Description: Text document