--- Begin Message ---
Subject: |
Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files |
Date: |
Wed, 14 Sep 2005 11:06:52 +0200 |
User-agent: |
Mutt/1.5.9i |
Package: tar
Version: 1.15.1-2
Severity: important
Tags: security
Hi!
tar preserves setuid bits when extracting an archive without even a
warning. Please see
http://marc.theaimsgroup.com/?l=bugtraq&m=112327628230258&w=2
for the original report.
This is similar to CAN-2005-0602 which was recently fixed in unzip.
unzip now ignores setuid and setgid by default and has a command line
option to explicitly allow it (useful for backup restoring). But at
least it should warn the user about creating setuid files.
This is CAN-2005-2541; please mention this in the changelog if you fix
this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
signature.asc
Description: Digital signature
--- End Message ---