[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-tar] Bug#842339: possible fixes for CVE-2016-6321

From: Salvatore Bonaccorso
Subject: Re: [Bug-tar] Bug#842339: possible fixes for CVE-2016-6321
Date: Sun, 30 Oct 2016 08:07:14 +0100
User-agent: NeoMutt/20161014 (1.7.1)

Control: tags -1 + patch

(dropping the bug-tar list, since this reply only relevant within

Hi Paul,

On Sat, Oct 29, 2016 at 09:19:09PM -0700, Paul Eggert wrote:
> Thanks for the heads-up. Yes, it appears the 2003 change was not
> sufficiently paranoid about ".." in member names. Luckily, the tar manual
> still documents the pre-2003 behavior, so we can restore that behavior as a
> simple bug fix. I installed the attached patch into Savannah as one way to
> do that. This patch causes 'tar' to issue two diagnostics when given a
> member name containing "..", and I suppose tar should be cleaned up at some
> point to issue just one diagnostic. The main thing, though, is that the
> patch is simple and fixes the security gotcha in question.
> I don't view this as a serious bug, as the tar manual has long said that you
> should extract untrusted tarballs only into empty directories, and doing
> that forestalls the attack even without this patch. (There are other reasons
> for this longstanding recommendation.)

Thanks for the patch!

For reference, attached would be the debdiff for a possible unstable
and jessie-security upload.


Attachment: tar_1.27.1-2+deb8u1.debdiff
Description: Text document

Attachment: tar_1.29b-1.1.debdiff
Description: Text document

reply via email to

[Prev in Thread] Current Thread [Next in Thread]