[mdlug] tar advisory

Carl T. Miller millerc at cantonpl.org
Fri Aug 24 09:09:39 EDT 2007


Does anyone know more about the newly discover problem with
tar?  I just read the description from Red Hat for the new
version of tar, and it said someone could craft a tar archive
to extract files to an arbitrary location with the permissions
of the user.

Near as I know nobody is exploiting this.  But it would be
good to make sure you have the latest version of tar on your
hosts.  And if you're running an unsupported version of Linux,
don't extract unknown tarballs as root.  Extract them first as
a user, then take a look at them.

c





More information about the mdlug mailing list