Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Oct 2015 14:24:41 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: BusyBox tar directory traversal

On ven., 2015-10-23 at 03:01 -0400, Robert Watson wrote:
> Remember that tar was created primarily for software distribution

Actually no, it was created to write archives to (magnetic) tapes.

>  and
> compressed tar files are most often used to this day for that purpose.
> Software distribution almost always involves writing files to many
> different directories at all levels of the filesystem. Symlinks between
> them are quite common as well.

Sure, you just don't want them to escape from CWD. There has been example of
this to bypass “safe updates” procedures for example.

Regards,
-- 
Yves-Alexis


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ