[oclug] "tar" problem

[Dave Edwards]

On Thu, 2002-10-03 at 12:40, Vic Gedris wrote:
> 
> Why is it that only *this week* that I'm seeing security bulletins and
> updates for "tar"?  The security issue in question is the fact that you
> can poison tarballs with files that extract to arbitrary places.
> 
> I remember David F. Skoll mentioned this many months (a couple of
> years?) ago, and I even saw his post on Bugtraq way back when...
> 
> Ohwell.....be careful when you un-tar files, especialyl from untrusted
> sources.  Never do it as root.

I was getting fed-up with badly-rolled tarballs, so I wrote a simple
shell function called 'tear' which makes it easy to inspect the contents
of tarballs before opening them.  My version redirects error messages to
/dev/null , but that can be changed.

tear() {
    if [ ${1} = `echo -b` ]  ; then
        bzcat ${2} 2>/dev/null | tar -tf - 2>/dev/null
    elif [ ! ${1} ] ; then
        echo "Usage: \"tear somefile.tar.gz\"  OR \"tear somefile.tgz\"
OR
        \"tear -b somefile.tar.bz2\""
    else
        zcat ${1} 2>/dev/null | tar -tf - 2>/dev/null
    fi
}

Cheers,
Dave.
-- 
dle1 at sympatico.ca
-> No son, onanism's a gross orgasm sin, a no-no son. <-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20021003/e88587b5/attachment.bin