Date: Fri, 23 Oct 2015 14:24:41 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: BusyBox tar directory traversal On ven., 2015-10-23 at 03:01 -0400, Robert Watson wrote: > Remember that tar was created primarily for software distribution Actually no, it was created to write archives to (magnetic) tapes. > and > compressed tar files are most often used to this day for that purpose. > Software distribution almost always involves writing files to many > different directories at all levels of the filesystem. Symlinks between > them are quite common as well. Sure, you just don't want them to escape from CWD. There has been example of this to bypass “safe updates” procedures for example. Regards, -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ