[Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files]

[Bdale Garbee]

Hello.

As per the attached, tar's default behavior regarding setuid/setgid bits
has been identified as a security issue and submitted to the Debian bug
tracking system, among other places.

My initial reaction was to be concerned that changing the default would
violate user expectations, but I understand the motivation for this
class of behavioral change request.

I would prefer to not deviate the Debian tar default behavior from
"stock".  What's your take on this?

Please preserve the CC in replies so that our bug tracking system can
keep a record of the conversation.

Bdale

--- Begin Message --- Subject: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files Date: Wed, 14 Sep 2005 11:06:52 +0200 User-agent: Mutt/1.5.9i

Package: tar
Version: 1.15.1-2
Severity: important
Tags: security

Hi!

tar preserves setuid bits when extracting an archive without even a
warning. Please see

  http://marc.theaimsgroup.com/?l=bugtraq&m=112327628230258&w=2

for the original report.

This is similar to CAN-2005-0602 which was recently fixed in unzip.
unzip now ignores setuid and setgid by default and has a command line
option to explicitly allow it (useful for backup restoring). But at
least it should warn the user about creating setuid files.

This is CAN-2005-2541; please mention this in the changelog if you fix
this.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

signature.asc
Description: Digital signature

--- End Message ---