[ On Sunday, October 27, 2002 at 18:25:44 (-0600), Frederick Bruckman wrote: ]
> Subject: Re: tar ignores filenames that contain `..'
>
> Considering that the *threat* is of a malicious archive being
> downloaded from the internet, what chance is there to exploit a race
> condition while the archive is being extracted?

It doesn't have to be a threat just of a malicious archive from some
unknown third party. Perhaps it was created by a disgruntled colleague,
or modified by some other attacker who's gained local access and is
looking for some way to elevate his privileges. Perhaps it was an
archive off the net, but maybe an insider has outside help to spoof the
local admin into pulling down the trojaned archive.

This problem really does need to be solved properly once and for all for
everyone everywhere, not just for pkgsrc users -- that's what this is
all about in the first place, just as the original advisory noted:

          Probably, directory traversal is
      most dangerous among this bugs, because it allows to craft archive
      which will trojan system on extraction. This problem is known for
      software developers, and newer archivers usually have some kind of
      protection. But in some cases this protection is weak and can be
      bypassed.

        -- http://online.securityfocus.com/archive/1/196445

-- 
								Greg A. Woods
+1 416 218-0098;            <g.a.woodsieee.org>;           <woodsrobohack.ca>
Planix, Inc. <woodsplanix.com>; VE3TCP; Secrets of the Weird <woodsweird.com>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]