Package: tar Version: 1.25-2 Severity: important Hello,
I have stumped on an error (IMHO) with tar, which is a bit security relevant. Story: I have wanted to check a postinst of a deb archive and tried something like (as root): cd /tmp ar x /var/cache/.../foo.deb tar -xvzf control.tar.gz Then many applications silently failed, also X11 could not start anymore (XKB compile errors etc etc). Later I saw, that /tmp now has got 0664, which is wrong. I have tested it again and yeah I have to blame tar. Think about the following: m...@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ ls -ld . drwx------ 2 me me 4096 29. Nov 21:29 . m...@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ tar -xvzf /tmp/control.tar.gz ./ ./conffiles ./md5sums ./control m...@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ ls -ld . drwxr-xr-x 2 me me 4096 14. Jul 13:11 . m...@gnu:~/my_super_secret_and_safe_evil_dataaaaaaaaaaaa$ Sure, in control.tar.gz "./" is packaged so it also changes the file permissions for ./, but I don't think, that this is a wanted behaviour for users.. http://nopaste.linux-dev.org/?9139 -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */
signature.asc
Description: OpenPGP digital signature