[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tar directory traversal
From: |
3APA3A |
Subject: |
tar directory traversal |
Date: |
Mon, 25 Jun 2001 18:50:07 +0400 |
Hello bug-gnu-utils,
tar checks for absolute path names beginning with '/' but it doesn't
for '../' it makes it possible to create tar archive which, then
extracted, will place some files in directory of archive author's
choice.
Attached file creates test.txt one level higher then expected by user.
Tested version is
GNU tar version 1.11.2
Please feedback me even if you feel this behavior is normal or if this
problem is known.
SECURITY.NNOV follows RFPolicy http://www.wiretrip.net/rfp/policy.html
--
http://www.security.nnov.ru
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
test.tar
Description: Unix tar archive
- tar directory traversal,
3APA3A <=