[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-tar] BUG: incorrectly creates hard links in archive
|
From: |
Paul Eggert |
|
Subject: |
Re: [Bug-tar] BUG: incorrectly creates hard links in archive |
|
Date: |
Sat, 10 Jul 2004 11:48:16 -0700 |
|
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) |
Joerg Schilling <address@hidden> writes:
> It allows you to use most tar implementations to be used to remve
> arbitrary files! I call it a big security issue for this reason.
You can't remove arbitrary files with GNU tar 1.14; by default it will
refuse to remove files with absolute path names, for example. The
only bug is that you can remove files that you could otherwise write
to (i.e., files under the working directory). This isn't much of a
security hole, as one can already replace such files with zero-length
files.
Anyway, this problem has been fixed in CVS, so the
create-and-remove.tar and remove.tar bugs
are now squashed.
Sergey, when you have the time could you please look at
<ftp://ftp.berlios.de/pub/star/testscripts/>? This is a valuable
resource for common bugs that GNU tar has historically had in
interpreting tar images. I have the vague impression that other of
those problems are fixed now but we really should verify that we've
fixed them all. Thanks.