tar can be used to damage a system

bug-gnu-utils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tar can be used to damage a system

From:	root
Subject:	tar can be used to damage a system
Date:	Sun, 27 Jan 2002 23:52:34 -0500 (EST)

It has recently occured to me that a bogus tar file can be
used to attack a system, especially if root runs it.
If you put bogus files like:

     ../../../../../../../../../../../../vmlinuz
     ../../../../../../../../../../../../boot/boot.b
     ../../../../../../../../../../../../bin/login

into the tar file; then an unsuspecting root
can tear up the system.

Of course, there are a lot of ways to damage a system
if tou can trick a sysadmin into using them; but I don't
recall ever coming across a warning that unpacking a
tarball can be a threat.

The solution seemed simple when I first thought of it.
The longer I think about it, the more complicated it gets.
But at least, some restriction may be in order to keep
tar from writing outside its destination tree, unless
some measure is taken to allow it explicitly.

[Prev in Thread]

Current Thread

[Next in Thread]

tar can be used to damage a system, root <=
- Re: tar can be used to damage a system, Paul Eggert, 2002/01/28

Prev by Date: Download MP3's for FREE !
Next by Date: FILL ME UP (FREE) 4799
Previous by thread: Download MP3's for FREE !
Next by thread: Re: tar can be used to damage a system
Index(es):
- Date
- Thread