Re: GNU Tar vulnerability

看板FB_security作者時間19年前 (2006/11/29 05:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串4/4 (看更多)
On Tuesday 28 November 2006 13:50, Sergey Matveychuk wrote: > Josh Paetzel wrote: > > On Tuesday 28 November 2006 11:17, Sergey Matveychuk wrote: > >> Please, note: http://secunia.com/advisories/23115/ > >> > >> A port maintainer CC'ed. > > > > This is one of those things where the impact is hard to determine > > because the link doesn't really give much info. Ok, you can > > overwrite arbitrary files.....ANY file? Or just files that the > > user running gtar has write access to? If it's the first case > > then that's huge. If it's the second case then who really cares. > > I'm sure it's the second case. > I think it should care root mostly. But any users dislike too if > there is a chance to lost their .login, .bashrc etc. > > An exploit is available on SecurityFocus. hrmm....didn't really think this one through. I was looking at it from the 'you have a local user who would want to root your box using this' perspective. Looking at it from a different viewpoint, say, 'you have someone who would like to do mean things from remote by providing you with corrupt tar archives' puts a different spin on it altogether. -- Thanks, Josh Paetzel _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 josh. 的文章
文章代碼(AID): #15RAEL00 (FB_security)
更多 josh. 的文章
文章代碼(AID): #15RAEL00 (FB_security)