Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jan 2015 21:18:29 +0100
From: Jakub Wilk <>
Subject: Re: Directory traversals in cpio and friends?

* Alexander Cherepanov <>, 2015-01-08, 02:43:
>The results of tests of tar and cpio archives against various commands 
>follow. '=' means that the corresponding file is not extracted, 'x' 
>means that it is extracted. IMHO secure configuration should list 
>three '=', insecure configuration should list three 'x', everything 
>else is inconsistent. The list created by the attached scripts.
>=== tar ===
>abs     rel     link    cmd
>=       =       =       tar -x
>x       x       x       tar -x -P
>=       =       =       bsdtar -x
>x       x       x       bsdtar -x -P
>=       x       x       paxtar -x
>x       x       x       paxtar -x -P
>x       x       x       pax -r

Let me add:

=       =       x       star -x
=       =       =       star -x -secure-links
x       x       x       star -x -/ -..

(tested with star 1.5.3)

Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ