From venglin@freebsd.lublin.pl  Mon Nov 12 04:46:56 2001
Return-Path: <venglin@freebsd.lublin.pl>
Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12])
	by hub.freebsd.org (Postfix) with ESMTP id F40E537B416
	for <freebsd-gnats-submit@freebsd.org>; Mon, 12 Nov 2001 04:46:54 -0800 (PST)
Received: (from root@localhost)
	by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id fACCkhd26770
	for freebsd-gnats-submit@freebsd.org; Mon, 12 Nov 2001 13:46:43 +0100 (CET)
	(envelope-from venglin@freebsd.lublin.pl)
Received: from lagoon.freebsd.lublin.pl (qmailr@lagoon.freebsd.lublin.pl [212.182.115.11])
	by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with SMTP id fACCkfF26762
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 12 Nov 2001 13:46:42 +0100 (CET)
	(envelope-from venglin@freebsd.lublin.pl)
Received: (qmail 26757 invoked by uid 1001); 12 Nov 2001 12:46:41 -0000
Message-Id: <20011112124641.26756.qmail@lagoon.freebsd.lublin.pl>
Date: 12 Nov 2001 12:46:41 -0000
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Reply-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: GNU Tar shipped with FreeBSD handles relative paths
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         31929
>Category:       gnu
>Synopsis:       GNU Tar shipped with FreeBSD handles relative paths
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 12 04:50:01 PST 2001
>Closed-Date:    Thu Aug 22 10:20:27 PDT 2002
>Last-Modified:  Thu Aug 22 10:20:27 PDT 2002
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
czuby.net
>Environment:

System: FreeBSD lagoon.freebsd.lublin.pl 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Sep 15 12:00:15 CEST 2001 root@riget.scene.pl:/mnt/lagoon/usr/src/sys/compile/RIGET i386

>Description:

FreeBSD ships old version of GNU Tar, which allows to overwrite any file in
system, when unpacking archive. Additionally, Tar changes permissions
of current directory to 0755, when unpacking malformed archive, containing ".".
Both problems were fixed some time ago and most recent version of GNU Tar is
secure.

This problem can expose security risk for mail anti-virus scanners.

>How-To-Repeat:

First problem:

riget:root:/tmp# touch /etc/test
riget:root:/tmp# tar -cf test.tar ../../../../../../etc/test
riget:root:/tmp# rm /etc/test
riget:root:/tmp# tar -xf test.tar
riget:root:/tmp# ls -la /etc/test
-rw-r--r--  1 root  wheel  0 12 Lis 13:43 /etc/test

Second problem:

riget:root:/tmp/dupa# tar -cvf test.tar .
./
tar: test.tar is the archive; not dumped
riget:root:/tmp/dupa# chmod 700 .
riget:root:/tmp/dupa# tar -xf test.tar
riget:root:/tmp/dupa# ls -ld .
drwxr-xr-x  2 root  wheel  512 12 Lis 13:44 .

>Fix:

Upgrade GNU Tar from base system to most recent version.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: sobomax 
State-Changed-When: Tue Jun 4 10:54:13 PDT 2002 
State-Changed-Why:  
Modern GNU tar which was just imported into the -CURRENT doesn't have this 
problem. Therefore, the problem will befilly resolved when tar upgrade is 
MFC'ed in about 1 month. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=31929 
State-Changed-From-To: patched->closed 
State-Changed-By: johan 
State-Changed-When: Thu Aug 22 10:19:54 PDT 2002 
State-Changed-Why:  
GNU tar 1.13.25 has been MFCed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=31929 
>Unformatted:
