Subject: Re: tar ignores filenames that contain `..'
To: NetBSD Packages Technical Discussion List <tech-pkg@netbsd.org>
From: Frederick Bruckman <fredb@immanent.net>
List: current-users
Date: 10/27/2002 22:27:20
On Sun, 27 Oct 2002, Greg A. Woods wrote:

> [ On Sunday, October 27, 2002 at 18:25:44 (-0600), Frederick Bruckman wrote: ]
> > Subject: Re: tar ignores filenames that contain `..'
> >
> > Considering that the *threat* is of a malicious archive being
> > downloaded from the internet, what chance is there to exploit a race
> > condition while the archive is being extracted?
>
> It doesn't have to be a threat just of a malicious archive from some
> unknown third party.  Perhaps it was created by a disgruntled colleague,
> or modified by some other attacker who's gained local access and is
> looking for some way to elevate his privileges.  Perhaps it was an
> archive off the net, but maybe an insider has outside help to spoof the
> local admin into pulling down the trojaned archive.

Uh... how does your race condition leverage privilege? It seems an
attacker would need to already have an account with the same privilege
as the targetted user to accomplish anything. But then..., all he
could accomplish, is the ability to write files with the privilege of
the targetted user, which he could already trivially do.

> This problem really does need to be solved properly once and for all for
> everyone everywhere, not just for pkgsrc users -- that's what this is
> all about in the first place, just as the original advisory noted:
>
>           Probably, directory traversal is
>       most  dangerous  among  this  bugs, because it allows to craft archive
>       which  will  trojan  system  on  extraction. This problem is known for
>       software  developers,  and  newer  archivers usually have some kind of
>       protection.  But  in  some  cases  this  protection is weak and can be
>       bypassed.
>
> 	-- http://online.securityfocus.com/archive/1/196445

Yes, exactly. The trojan is the real threat. No race condition. It
looks to me as if Todd Vierling's proposal adequately addresses the
threat.

Frederick