[I'm not the maintainer of this package.]
* Patrick Matthäi <[email protected]>, 2010-11-29, 21:38:
Think about the following:
me@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ ls -ld .
drwx------ 2 me me 4096 29. Nov 21:29 .
me@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ tar -xvzf
/tmp/control.tar.gz
./
./conffiles
./md5sums
./control
me@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ ls -ld .
drwxr-xr-x 2 me me 4096 14. Jul 13:11 .
me@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$
Sure, in control.tar.gz "./" is packaged so it also changes the file
permissions for ./, but I don't think, that this is a wanted behaviour for
users..
I'm not saying this is desired behaviour, but it is (to some extent)
documented. Quoting
<http://www.gnu.org/software/tar/manual/html_section/Security.html#SEC179>:
Extract from an untrusted archive only into an otherwise-empty directory.
This directory AND ITS PARENT should be accessible only to trusted users.
(emphasis mine)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
