Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Oct 2015 10:36:33 -0500
From: Tyler Hicks <>
Cc:, Denys Vlasenko <>
Subject: CVE Request: BusyBox tar directory traversal

Hello - The BusyBox implementation of tar will extract a symlink that
points outside of the current working directory and then follow that
symlink when extracting other files. This allows for a directory
traversal attack when extracting untrusted tarballs.

This behavior was documented in the BusyBox source with the following
2011 commit:

I've created an upstream bug report:

Can we get a CVE assigned to track this? Thanks!


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ