Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 21:28:29 +0200
From: Naufragium Est <>
Subject: libtar: missing validation of file names

is this also CVE-worthy?

> The functions tar_extract_glob and tar_extract_all accept a path prefix
> on where to extract files to. However, libtar does not validate the file
> names stored inside a tar file, possibly leading to a file extraction
> outside the prefix path. For example, consider a file name
> "../../etc/passwd". If extract_all is called with prefix "/home/USER/",
> libtar would try to overwrite "/etc/passwd".

not fixed yet:

> Once I figure out the right way of handling this, there will probably be
> another libtar release.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ