Results 1 to 3 of 3

Thread: tar vulnerability? Leading ./ (dot slash) makes the --directory option fail.

  1. #1
    Join Date
    Jun 2010
    Beans
    1

    tar vulnerability? Leading ./ (dot slash) makes the --directory option fail.

    I ran across this problem when I used checkinstall and then tried to extract the contents of data.tar.gz (which you can find inside any .deb).

    tar has an option to extract the contents of a file in a given directory.

    From tar's manpage:

    Code:
         -C, --directory DIR
               change to directory DIR
    For example, the following command:

    Code:
    $ tar xzf suspiciousfile.tar.gz --directory /empty/directory/somewhere
    will extract the contents of suspiciousfile.tar.gz into the given directory.

    However, if the .tar file has filenames with a leading ./ (dot slash), it will instead extract to the working directory.

    If the file looks like:
    Code:
    $ tar tzf suspiciousfile.tar.gz
    directory/
    directory/file
    Then the contents will be extracted to the directory given with the --directory option.
    This is the expected behaviour.

    However, if the listing looks like:
    Code:
    $ tar tzf suspiciousfile.tar.gz
    ./directory/
    ./directory/file
    Then tar will ignore the --directory option and extract everything to the working directory.

    I can't imagine this being the expected behaviour. It's not documented in the manpage or info section and I can't find an explanation in http://www.gnu.org/software/tar/manual/ either.


    Now, I've solved my particular problem by using --strip-components, but imagine a process that has root is in a critical directory and uses the --directory option in tar, expecting it to only extract to the given location.
    It could end up overwriting vital configuration files and executables!
    What's more, it could include both files with and without a leading ./ so that the user would be unaware anything happened, seeing how it extracted some of its files into the expected location.

    tar already complains when names have ".." in their path, and I believe it does that for the same reason.

    Here's a quick fix for this problem, in the case of shell scripts:
    Code:
    pushd /empty/directory/somewhere
    tar xzf suspiciousfile.tar.gz
    popd
    I'm not sure, but I think there's a related problem with a single leading slash.
    That one seems to be reasonably documented, though.

  2. #2
    Join Date
    Feb 2005
    Location
    Texas
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: tar vulnerability? Leading ./ (dot slash) makes the --directory option fail.

    Quote Originally Posted by joaovrsa
    However, if the listing looks like:
    Code:
    $ tar tzf suspiciousfile.tar.gz
    ./directory/
    ./directory/file
    Then tar will ignore the --directory option and extract everything to the working directory.
    I tested on a non-Ubuntu OS. It didn't produce the behavior you're describing.

    Code:
    $ cat /etc/redhat-release 
    Fedora release 13 (Goddard)
    
    $ tar xfzv suspect.tgz --directory /tmp
    ./foo/
    ./foo/bar.txt
    
    $ file ./foo
    ./foo: cannot open `./foo' (No such file or directory)
    
    $ file /tmp/foo
    /tmp/foo: directory
    File a bug report?

  3. #3
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: tar vulnerability? Leading ./ (dot slash) makes the --directory option fail.

    I am not sure why you posted this here.

    In terms of security, this falls into the category of do not install applications, run commands, or extract archives, tar or otherwise, from untrusted sources. An archive, tar in this case, can contain most anything.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •