[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-tar] possible fixes for CVE-2016-6321

From: Paul Eggert
Subject: Re: [Bug-tar] possible fixes for CVE-2016-6321
Date: Sat, 29 Oct 2016 21:19:09 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0

Thanks for the heads-up. Yes, it appears the 2003 change was not sufficiently paranoid about ".." in member names. Luckily, the tar manual still documents the pre-2003 behavior, so we can restore that behavior as a simple bug fix. I installed the attached patch into Savannah as one way to do that. This patch causes 'tar' to issue two diagnostics when given a member name containing "..", and I suppose tar should be cleaned up at some point to issue just one diagnostic. The main thing, though, is that the patch is simple and fixes the security gotcha in question.

I don't view this as a serious bug, as the tar manual has long said that you should extract untrusted tarballs only into empty directories, and doing that forestalls the attack even without this patch. (There are other reasons for this longstanding recommendation.)

Attachment: 0001-When-extracting-skip-.-members.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]