Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Feb 2014 14:27:04 +0100
From: Jakub Wilk <>
Subject: Re: [notification] CVE-2013-6888: uscan: remote code

* Raphael Geissert <>, 2014-01-06, 11:57:
>Two other changes were made that IMO should be considered as hardening:

I believe that untarring files to a direct subdirectory of /tmp (at 
least without --keep-old-files) is a vulnerability, although admittedly 
with very low severity. If the tarball contained a "." file, then tar 
would change permissions of the destination directory, possibly making 
the directly accessible to other users. This is (similar to?) CWE-378.


As far as I can tell, this one is indeed hardening only.

Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ