previously ...
Nico Golde [EMAIL PROTECTED] [Sun, 9 Sep 2007 14:30:06 +0200]:
Hi,
* Sylvain Beucler [EMAIL PROTECTED] [2007-09-09 13:56]:
Was this forwarded to the Stable security team?
If I'm given a tarball that can replace /etc/passwd, I'd say this is
grave bug.
This bug is
Hi,
Was this forwarded to the Stable security team?
If I'm given a tarball that can replace /etc/passwd, I'd say this is
grave bug.
Thanks,
--
Sylvain
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hi,
* Sylvain Beucler [EMAIL PROTECTED] [2007-09-09 13:56]:
Was this forwarded to the Stable security team?
If I'm given a tarball that can replace /etc/passwd, I'd say this is
grave bug.
This bug is monitored via the security tracker:
http://security-tracker.debian.net/tracker/CVE-2007-4131
A user does not expect tar to allow absolute path names unless the -P
option is given.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tags 439335 +pending
thanks
On Wed, 2007-08-29 at 20:50 +0200, Stefan Fritsch wrote:
A user does not expect tar to allow absolute path names unless the -P
option is given.
That's not a justification for severity 'grave' in the Debian BTS.
However, regardless of what we think the appropriate
Package: tar
Version: 1.18-1
Severity: grave
Tags: security patch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- From CVE-2007-4131:
The vulnerability is caused due to an input validation error when
extracting tar archives. This can be exploited to extract files to
arbitrary locations outside
On Fri, 2007-08-24 at 11:35 +0200, Luca Bruno wrote:
Package: tar
Version: 1.18-1
Severity: grave
Why does this merit a 'grave' severity when there is no apparent priv
escalation involved?
Bdale
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
7 matches
Mail list logo