155901 2006-11-21 16:36 0000 app-arch/tar symlink directory traversal? (CVE-2006-6097) 2007-02-11 10:24:09 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html A2? [glsa+] jaervosz P2 major --- 1 tomk@gentoo.org security@gentoo.org cornet@sheepy.org passnet@zmail.ru tomk@gentoo.org 2006-11-21 16:36:19 0000 It's possible to create symlinks to arbitrary locations on the filesystem within a tarball using the GNUTYPE_NAMES record name. This is demonstrated in the FD post specified. Also this has been verified by a Gentoo user here: http://sheepy.org/node/23 For all intents and purposes you can can s/rootdo/sudo/g in that report (He's got some crazy scripts seeing as he's a veteran Gentoo user :) I've also verified this exploit locally. jaervosz@gentoo.org 2006-11-21 23:07:09 0000 Base system please advise. jaervosz@gentoo.org 2006-11-24 11:44:15 0000 Proposed fix is here: https://savannah.gnu.org/bugs/download.php?file_id=11327 jaervosz@gentoo.org 2006-11-24 11:45:39 0000 And upstream bug: https://savannah.gnu.org/bugs/index.php?18355 dercorny@gentoo.org 2006-11-28 01:39:14 0000 mhh this is evil, tricking somebody into extracting a tar file is easy. please bump jakub@gentoo.org 2006-11-29 00:38:32 0000 *** Bug 156578 has been marked as a duplicate of this bug. *** dercorny@gentoo.org 2006-11-30 11:26:40 0000 base-system, we are behind schedule, please bump! vapier@gentoo.org 2006-12-02 14:59:58 0000 cry me a river 1.16-r2 is in portage with the change that actually went into upstream cvs dercorny@gentoo.org 2006-12-03 03:56:55 0000 arch teams, please test and stable 1.16-r2 ticho@gentoo.org 2006-12-03 07:12:56 0000 x86 done dertobi123@gentoo.org 2006-12-03 10:33:05 0000 ppc stable weeve@gentoo.org 2006-12-03 11:33:56 0000 And you, SPARC'd me all night long.... jer@gentoo.org 2006-12-03 14:29:00 0000 Stable for HPPA. corsair@gentoo.org 2006-12-06 00:19:35 0000 ppc64 stable ahf@0x90.dk 2006-12-06 13:06:05 0000 Stable on MIPS. ahf@0x90.dk 2006-12-06 13:35:18 0000 Argh, forgot Alpha. Alpha is stable too. dang@gentoo.org 2006-12-08 10:41:28 0000 amd64 done, sorry for the delay. vorlon@gentoo.org 2006-12-11 13:56:53 0000 GLSA 200612-10 thanks everyone