Re: Directory traversal vulnerabilities in several archivers processing .tar

From: der Mouse (mouse@Rodents.Montreal.QC.CA)
Date: 12/17/02

  • Next message: Muhammad Faisal Rauf Danka: "Fwd: CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations"
    From: der Mouse <mouse@Rodents.Montreal.QC.CA>
    Date: Tue, 17 Dec 2002 18:54:41 +0100 (CET)
    To: Florian Schafferhans <fs@computer-security.de>, bugtraq@securityfocus.com
    
    

    > [...how tarfile readers don't check for .. components...]

    > Affected
    > [long list]

    Not affected: my tar, when run with the appropriate option to make it
    paranoid about extraction. (With the option set, it refuses to extract
    anything that would be placed anywhere not under the current
    directory. At least it's supposed to, and as far as I know it does.)

    /~\ The ASCII der Mouse
    \ / Ribbon Campaign
     X Against HTML mouse@rodents.montreal.qc.ca
    / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B