[mdlug] Fwd: tar advisory
Mark Thuemmel
ldaphelp at thuemmel.com
Fri Aug 24 23:34:29 EDT 2007
how come Debian or Ubuntu are not on the affected list? The GNU tar
home page does not seem to say anything either?
God of Lemmings wrote:
>
> look here.
> http://www.securityfocus.com/bid/25417
>
> Begin forwarded message:
> *From: *"Carl T. Miller" <millerc at cantonpl.org>
> *Date: *August 24, 2007 9:09:39 AM EST
> *To: *"MDLUG List" <mdlug at mdlug.org>
> *Subject: [mdlug] tar advisory
> Reply-To: *"MDLUG's Main discussion list" <mdlug at mdlug.org>
>
> Does anyone know more about the newly discover problem with
> tar? I just read the description from Red Hat for the new
> version of tar, and it said someone could craft a tar archive
> to extract files to an arbitrary location with the permissions
> of the user.
>
> Near as I know nobody is exploiting this. But it would be
> good to make sure you have the latest version of tar on your
> hosts. And if you're running an unsupported version of Linux,
> don't extract unknown tarballs as root. Extract them first as
> a user, then take a look at them.
More information about the mdlug
mailing list