Re: [Python-Dev] tarfile and directory traversal vulnerability

2007-08-28 Thread Martin v. Löwis
> GNU tar is not supposed to place files outside its working directory, > unless explicitly specified otherwise. So this is considered a security > vulnerability. So that's a vulnerability in GNU tar, sure - it does something that it is not supposed to do. But why is there also a vulnerability in

Re: [Python-Dev] tarfile and directory traversal vulnerability

2007-08-27 Thread Lars Gustäbel
On Mon, Aug 27, 2007 at 07:40:36PM +0200, Jan Matejek wrote: > Lars Gustäbel wrote: > > Suppose we have: > > foo -> /etc > > foo/passwd > > > > If creation of the foo symlink is delayed, foo/passwd will be > > extracted in a directory foo which will be created implicitly. > > If we create the foo

Re: [Python-Dev] tarfile and directory traversal vulnerability

2007-08-27 Thread Jan Matejek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lars Gustäbel wrote: > Suppose we have: > foo -> /etc > foo/passwd > > If creation of the foo symlink is delayed, foo/passwd will be > extracted in a directory foo which will be created implicitly. > If we create the foo symlink afterwards it will fa

Re: [Python-Dev] tarfile and directory traversal vulnerability

2007-08-27 Thread Jan Matejek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin v. Löwis wrote: > I must admit I fail to see the bug. If root untars a file, and that tar > file contains an instruction to overwrite /etc/passwd, why is an error > to execute that instruction? Shouldn't root just be more careful when > untaring

Re: [Python-Dev] tarfile and directory traversal vulnerability

2007-08-25 Thread Lars Gustäbel
On Fri, Aug 24, 2007 at 07:36:41PM +0200, Jan Matejek wrote: > once upon a time there was a known vulnerability in tar (CVE-2001-1267, > [1]), and while tar is now long fixed, python's tarfile module is > affected too. > > The vulnerability goes basically like this: If you tar a file named > "../.

Re: [Python-Dev] tarfile and directory traversal vulnerability

2007-08-24 Thread Martin v. Löwis
> The vulnerability goes basically like this: If you tar a file named > "../../../../../etc/passwd" and then make the admin untar it, > /etc/passwd gets overwritten. > Another variety of this bug is a symlink one: if tar contains files like: > ./-directory -> /etc > ./-directory/passwd > th

[Python-Dev] tarfile and directory traversal vulnerability

2007-08-24 Thread Jan Matejek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, once upon a time there was a known vulnerability in tar (CVE-2001-1267, [1]), and while tar is now long fixed, python's tarfile module is affected too. The vulnerability goes basically like this: If you tar a file named "../../../../../etc/passwd"