Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jan 2015 21:18:29 +0100
From: Jakub Wilk <>
Subject: Re: Directory traversals in cpio and friends?

* Alexander Cherepanov <>, 2015-01-08, 02:43:
>The results of tests of tar and cpio archives against various commands 
>follow. '=' means that the corresponding file is not extracted, 'x' 
>means that it is extracted. IMHO secure configuration should list 
>three '=', insecure configuration should list three 'x', everything 
>else is inconsistent. The list created by the attached scripts.
>=== tar ===
>abs     rel     link    cmd
>=       =       =       tar -x
>x       x       x       tar -x -P
>=       =       =       bsdtar -x
>x       x       x       bsdtar -x -P
>=       x       x       paxtar -x
>x       x       x       paxtar -x -P
>x       x       x       pax -r

Let me add:

=       =       x       star -x
=       =       =       star -x -secure-links
x       x       x       star -x -/ -..

(tested with star 1.5.3)

Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.