Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Oct 2015 09:00:29 -0400
From: Robert Watson <robertcwatson1@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: BusyBox tar directory traversal

Okay. How then does one install a tar package that put most of its files
under /usr but also needs to put files under /etc to which there are
symlinks?

On Friday, October 23, 2015, Yves-Alexis Perez <corsac@...ian.org> wrote:

> On ven., 2015-10-23 at 03:01 -0400, Robert Watson wrote:
> > Remember that tar was created primarily for software distribution
>
> Actually no, it was created to write archives to (magnetic) tapes.
>
> >  and
> > compressed tar files are most often used to this day for that purpose.
> > Software distribution almost always involves writing files to many
> > different directories at all levels of the filesystem. Symlinks between
> > them are quite common as well.
>
> Sure, you just don't want them to escape from CWD. There has been example
> of
> this to bypass “safe updates” procedures for example.
>
> Regards,
> --
> Yves-Alexis
>
>

-- 



*Trust in truth keeps hope aliverobertcwatson1@...il.com
<robertcwatson1@...il.com>www.docsalvage.info
<http://www.docsalvage.info>www.CivicChorale.org
<http://www.CivicChorale.org>*
<http://www.wunderground.com/cgi-bin/findweather/getForecast?query=Tallahassee,%20FL>
<https://www.healthcare.gov/>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ