On Tuesday 28 November 2006 13:50, Sergey Matveychuk wrote: > Josh Paetzel wrote: > > On Tuesday 28 November 2006 11:17, Sergey Matveychuk wrote: > >> Please, note: http://secunia.com/advisories/23115/ > >> > >> A port maintainer CC'ed. > > > > This is one of those things where the impact is hard to determine > > because the link doesn't really give much info. Ok, you can > > overwrite arbitrary files.....ANY file? Or just files that the > > user running gtar has write access to? If it's the first case > > then that's huge. If it's the second case then who really cares. > > I'm sure it's the second case. > I think it should care root mostly. But any users dislike too if > there is a chance to lost their .login, .bashrc etc. > > An exploit is available on SecurityFocus.
hrmm....didn't really think this one through. I was looking at it from the 'you have a local user who would want to root your box using this' perspective. Looking at it from a different viewpoint, say, 'you have someone who would like to do mean things from remote by providing you with corrupt tar archives' puts a different spin on it altogether. -- Thanks, Josh Paetzel _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
