[oclug] "tar" problem

[Raymond Wood]

On Thu, Oct 03, 2002 at 01:05:55PM -0400, Dave Edwards imagined:

> On Thu, 2002-10-03 at 12:40, Vic Gedris wrote:
> > Why is it that only *this week* that I'm seeing security
> > bulletins and updates for "tar"?  The security issue in
> > question is the fact that you can poison tarballs with files
> > that extract to arbitrary places.
> > 
> > I remember David F. Skoll mentioned this many months (a
> > couple of years?) ago, and I even saw his post on Bugtraq
> > way back when...
> > 
> > Ohwell.....be careful when you un-tar files, especialyl from
> > untrusted sources.  Never do it as root.

> I was getting fed-up with badly-rolled tarballs, so I wrote a
> simple shell function called 'tear' which makes it easy to
> inspect the contents of tarballs before opening them.  My
> version redirects error messages to /dev/null , but that can
> be changed.
> 
> tear() {
>     if [ ${1} = `echo -b` ]  ; then
>         bzcat ${2} 2>/dev/null | tar -tf - 2>/dev/null
>     elif [ ! ${1} ] ; then
>         echo "Usage: \"tear somefile.tar.gz\"  OR \"tear somefile.tgz\"
> OR
>         \"tear -b somefile.tar.bz2\""
>     else
>         zcat ${1} 2>/dev/null | tar -tf - 2>/dev/null
>     fi
> }
> 
> Cheers,
> Dave.

A couple of other methods (if I understand the goal aright):
o tar -ztvf <tarball.tgz> |less
        ^-- (for 'test'?)
OR
o mc  <-- highlight/select the file, then hit 'F3' to inspect
          (gzipped) tarball contents.

Cheers,
Raymond
-- 
"You deserve to be able to cooperate openly and freely with other
people who use software.  You deserve free software."
 -Richard M. Stallman, Free Software Foundation, http://www.fsf.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20021003/b45a8c40/attachment.bin