Re: RE: Is FreeBSD's tar susceptible to this?

From: f.johan.beisser (jan@caustic.org)
Date: 10/02/02


Date: Tue, 1 Oct 2002 16:07:31 -0700 (PDT)
From: "f.johan.beisser" <jan@caustic.org>
To: Don Lewis <dl-freebsd@catspoiler.org>

On Tue, 1 Oct 2002, Don Lewis wrote:

> What if the tarball installs a symlink to / under the current directory
> followed by files that are unpacked underneath the symlink name? A
> simple fix for the initial problem mentioned in this thread isn't
> sufficient.

i don't believe that tar(1) will allow you to do that by default.

i know for a fact that OpenBSD won't do it by default, you have to specify
that you want it to follow symlinks:

     -L Follow all symlinks. In extract mode this means that a di-
        rectory entry in the archive will not overwrite an existing
        symbolic link, but rather what the link ultimately points
        to.

> This is hardly a new problem. Here's a 1998 BUGTRAQ message:

and, i believe that's been addressed aswell. should have been, considering
it's 4 years old now.

-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message