[Savannah-help-public] newer tar: avoid .. exploit

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] newer tar: avoid .. exploit

From:	Jim Meyering
Subject:	[Savannah-help-public] newer tar: avoid .. exploit
Date:	Sun, 09 Sep 2007 09:45:31 +0200

[deliberately not sent to the -public list]
Hi guys,

You've probably heard about the latest exploitable tar bug: If you
unpack a malicious tar archive, it can overwrite (through e.g., ../..)
any number of your key files with tarball-supplied contents.  Fixed only
recently in GNU tar for the upcoming 1.18.1 release.

It would be prudent to install the fixed version wherever root
might unpack an untrusted tarball or forget to verify a signature
or checksum before unpacking what they think is a trusted tarball
(imagine a cracked mirror of trusted sources):

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131

Most vendors already have the fix.  E.g., 1.18-2 in Debian.
Is there policy for this on savannah?  The installed tar is version 1.16,

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-help-public] newer tar: avoid .. exploit, Jim Meyering <=
- Re: [Savannah-help-public] newer tar: avoid .. exploit, Sylvain Beucler, 2007/09/09
  - Re: [Savannah-help-public] newer tar: avoid .. exploit, Sylvain Beucler, 2007/09/09

Prev by Date: [Savannah-help-public] [gnuspeech list] Member wishes submission removed
Next by Date: Re: [Savannah-help-public] newer tar: avoid .. exploit
Previous by thread: [Savannah-help-public] [gnuspeech list] Member wishes submission removed
Next by thread: Re: [Savannah-help-public] newer tar: avoid .. exploit
Index(es):
- Date
- Thread