Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 21:28:29 +0200
From: Naufragium Est <>
Subject: libtar: missing validation of file names

is this also CVE-worthy?

> The functions tar_extract_glob and tar_extract_all accept a path prefix
> on where to extract files to. However, libtar does not validate the file
> names stored inside a tar file, possibly leading to a file extraction
> outside the prefix path. For example, consider a file name
> "../../etc/passwd". If extract_all is called with prefix "/home/USER/",
> libtar would try to overwrite "/etc/passwd".

not fixed yet:

> Once I figure out the right way of handling this, there will probably be
> another libtar release.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.