[28234] in bugtraq
Re: Directory traversal vulnerabilities in several archivers processing .tar
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Dec 17 14:43:07 2002
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Message-Id: <200212171759.MAA09224@Sparkle.Rodents.Montreal.QC.CA>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Tue, 17 Dec 2002 18:54:41 +0100 (CET)
To: Florian Schafferhans <fs@computer-security.de>, bugtraq@securityfocus.com
In-Reply-To: <20021216234043.19566.qmail@mail.securityfocus.com>
> [...how tarfile readers don't check for .. components...]
> Affected
> [long list]
Not affected: my tar, when run with the appropriate option to make it
paranoid about extraction. (With the option set, it refuses to extract
anything that would be placed anywhere not under the current
directory. At least it's supposed to, and as far as I know it does.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
