On Thu, Oct 11, 2007, Nico Golde wrote: > After speaking with Kees Cook and Sean Finney in > #debian-security we all agreed that this *is* indeed a > security issue even if upstream does not agree here. > It is a valid argument that a user is supposed to extract a > tar archive in a secure way. It is not the job of the user > to take care of directory traversal logic via path names or > symlinks with examining the tar archive first. > Thus readding the security tag.
I'm not sure what to think here; behavior with ../ and absolute pathnames is documented behavior in the tarfile API. Another thing which is not strongly advertized is that if your tarball has 0777 directories, extractall() will happily create 0777 directories. (Try with the hal tarball for instance.) Note that "tar" will do the same if you run it as root!! -- Loïc Minier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
