Package: tar Version: 1.15.1-2 Severity: important Tags: security Hi!
tar preserves setuid bits when extracting an archive without even a warning. Please see http://marc.theaimsgroup.com/?l=bugtraq&m=112327628230258&w=2 for the original report. This is similar to CAN-2005-0602 which was recently fixed in unzip. unzip now ignores setuid and setgid by default and has a command line option to explicitly allow it (useful for backup restoring). But at least it should warn the user about creating setuid files. This is CAN-2005-2541; please mention this in the changelog if you fix this. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org
signature.asc
Description: Digital signature
