[1044] in linux-security and linux-alert archive
[linux-security] Re: Anon ftp pkg?
daemon@ATHENA.MIT.EDU (Elliot Lee)
Thu Aug 22 02:36:54 1996
Date: Wed, 21 Aug 1996 10:05:52 -0400 (EDT)
From: Elliot Lee <sopwith@redhat.com>
To: Roscinante <rosc@fbn.globalent.net>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.95.960821094915.8693A-100000@fbn.globalent.net>
On Wed, 21 Aug 1996, Roscinante wrote:
> Does the updated anonftp pkg have a fixed version of tar?
Yes, that's all that changed :-)
> I've been trying all night to get rpm working on my slack system, am I
> wasting my time (someone told me all thats in the updated anonftp pkg is
> a config script)?
No.
> Are there options in tar that should be disabled at compile time?
> What options are exploitable? Please cc me directly.
I have attached a patch to tar that you can compile tar with to fix it.
Hope this helps,
--==== Elliot Lee = <sopwith@redhat.com> == Red Hat Software ====--
"Usenet is like a herd of performing elephants with diarrhea; massive,
difficult to redirect, awe-inspiring, entertaining, and a source of
mind-boggling amounts of excrement when you least expect it."
--- tar-1.11.8/src/tar.c.sopwith Sat Jun 17 16:48:32 1995
+++ tar-1.11.8/src/tar.c Mon Aug 19 12:19:16 1996
@@ -22,6 +22,8 @@
#include "system.h"
+#include <syslog.h>
+
#ifndef FNM_LEADING_DIR
# include <fnmatch.h>
#endif
@@ -1202,14 +1204,19 @@
break;
case OPTION_COMPRESS_PROG:
- if (flag_compressprog)
- ERROR ((TAREXIT_FAILURE, 0,
- _("Only one compression option permitted")));
- flag_compressprog = optarg;
+ openlog("ftp tar", 0, LOG_DAEMON);
+ syslog(LOG_WARNING,"Attempt to run tar via FTP with compress command %s",
+ optarg);
+ closelog();
+ flag_compressprog = NULL;
break;
case OPTION_RSH_COMMAND:
- flag_rsh_command = optarg;
+ openlog("ftp tar", 0, LOG_DAEMON);
+ syslog(LOG_WARNING,"Attempt to run tar via FTP with rsh command %s",
+ optarg);
+ closelog();
+ flag_rsh_command = NULL;
break;
case 'g':