Date: Fri, 23 Oct 2015 09:00:29 -0400 From: Robert Watson <robertcwatson1@...il.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: CVE Request: BusyBox tar directory traversal Okay. How then does one install a tar package that put most of its files under /usr but also needs to put files under /etc to which there are symlinks? On Friday, October 23, 2015, Yves-Alexis Perez <corsac@...ian.org> wrote: > On ven., 2015-10-23 at 03:01 -0400, Robert Watson wrote: > > Remember that tar was created primarily for software distribution > > Actually no, it was created to write archives to (magnetic) tapes. > > > and > > compressed tar files are most often used to this day for that purpose. > > Software distribution almost always involves writing files to many > > different directories at all levels of the filesystem. Symlinks between > > them are quite common as well. > > Sure, you just don't want them to escape from CWD. There has been example > of > this to bypass “safe updates” procedures for example. > > Regards, > -- > Yves-Alexis > > -- *Trust in truth keeps hope aliverobertcwatson1@...il.com <robertcwatson1@...il.com>www.docsalvage.info <http://www.docsalvage.info>www.CivicChorale.org <http://www.CivicChorale.org>* <http://www.wunderground.com/cgi-bin/findweather/getForecast?query=Tallahassee,%20FL> <https://www.healthcare.gov/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ