from:"Michael Brown"

[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting

2008-02-02 Thread Michael Brown


New submission from Michael Brown:

python 2.5.1
tarfile.py line 1516 in extractall() 

sets directories created to world-writeable while extracting which means
an attacker can change/modify files before perms are fixed. Suggest 770
while extracting to fix.

--
components: Library (Lib)
messages: 62016
nosy: mebrown
severity: major
status: open
title: tarfile extractall() allows local attacker to overwrite files while 
extracting
type: security
versions: Python 2.5

__
Tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue2004>
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting

2008-02-02 Thread Michael Brown


Michael Brown added the comment:

I can confirm that this issue has been addressed in trunk tarfile.py.

__
Tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue2004>
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting

[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting

2 matches

Site Navigation

Mail list logo

Footer information