Re: GNU Tar vulnerability
- From: Josh Paetzel <josh@xxxxxxxxx>
- Date: Tue, 28 Nov 2006 14:50:21 -0600
On Tuesday 28 November 2006 13:50, Sergey Matveychuk wrote:
Josh Paetzel wrote:
On Tuesday 28 November 2006 11:17, Sergey Matveychuk wrote:
Please, note: http://secunia.com/advisories/23115/
A port maintainer CC'ed.
This is one of those things where the impact is hard to determine
because the link doesn't really give much info. Ok, you can
overwrite arbitrary files.....ANY file? Or just files that the
user running gtar has write access to? If it's the first case
then that's huge. If it's the second case then who really cares.
I'm sure it's the second case.
I think it should care root mostly. But any users dislike too if
there is a chance to lost their .login, .bashrc etc.
An exploit is available on SecurityFocus.
hrmm....didn't really think this one through. I was looking at it
from the 'you have a local user who would want to root your box using
this' perspective. Looking at it from a different viewpoint,
say, 'you have someone who would like to do mean things from remote
by providing you with corrupt tar archives' puts a different spin on
it altogether.
--
Thanks,
Josh Paetzel
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- GNU Tar vulnerability
- From: Sergey Matveychuk
- Re: GNU Tar vulnerability
- From: Josh Paetzel
- Re: GNU Tar vulnerability
- From: Sergey Matveychuk
- GNU Tar vulnerability
- Prev by Date: Re: GNU Tar vulnerability
- Previous by thread: Re: GNU Tar vulnerability
- Index(es):
Relevant Pages
|
|
