Date: Mon, 25 Jun 2001 08:40:21 -0700 (PDT) From: Paul Eggert <eggert@twinsun.com> To: 3APA3A@SECURITY.NNOV.RU Cc: bug-gnu-utils@prep.ai.mit.edu, ports@FreeBSD.ORG Subject: Re: tar directory traversal Message-ID: <200106251540.f5PFeLD02132@shade.twinsun.com> In-Reply-To: <136107973587.20010625185007@SECURITY.NNOV.RU> (3APA3A@SECURITY.NNOV.RU) References: <136107973587.20010625185007@SECURITY.NNOV.RU>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: 3APA3A <3APA3A@SECURITY.NNOV.RU> > Date: Mon, 25 Jun 2001 18:50:07 +0400 > > tar checks for absolute path names beginning with '/' but it doesn't > for '../' it makes it possible to create tar archive which, then > extracted, will place some files in directory of archive author's > choice. It's a known problem. It is addressed to some extent in the latest test version of GNU tar (1.13.19). There are a few tricky holes even in 1.13.19, though, and I hope to have them closed in the next version. You can get test versions at: ftp://alpha.gnu.org/gnu/tar/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106251540.f5PFeLD02132>