-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: busybox Version: 1:1.22.0-15 Severity: important Tags: security, upstream
It was discovered that busybox's tar implementation will extract a symlink that points outside of the current working directory and follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. This behavior is documented in the source code: http://git.busybox.net/busybox/tree/archival/tar.c#n25 More information: https://bugs.busybox.net/8411 http://openwall.com/lists/oss-security/2015/10/21/4 - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJWKSTaAAoJECet96ROqnV0sVgQANaMEz84St56AgwKRyiEh2U1 v8B8yaoIyGJA5H0mAbQV6lfVk48ueh0TFNFx4sanBTuR+tD++ibZSREnyG3xfzSf U0aqqFGzQONAMMVbsIEzrd0hz+rwZKwchZbjMmjsiPLyexVTK+FDddC+5BsZBhEI lcyFJYepiR1xXpI7uk2qv1j2+GRwDW7kDIipGWbyZIzBJMHHrsq/9VARteMb27BP RoXWgr8UcAJ6Gc/wfQQQpLhv4EXZOH0BOL7lF2kLYzu754HiFfwcuU9bULwQ2VPH 8vKxFfiPDmcTO2cDjdzs5ofeRG0PyIURFSBpZ3u1OdanmANp9KM8+Ud5NHWCMtkM JXtlZZ+4uySoJEtS6GlDw9h90bhXn8ufyRf4UNdiJsx4iB7EoX1AZZjdoCTvuurb HpzAUTVFIXv6hi3V/3OY2iyZau51vAe7QsQ7moI0felYZvOWL17efLyySSJUB+lr lXuaAla7fsvO/Y529YqBg+8jx29h4pi0HPCWS+cllf7Avo8fhor9Y0u8Ni4pn4yq ISzrZZTJGwzKC15wkXUkB4DyzU9TxJBcAJ0CQlLKENFpU+yrYJ2rX1FPsdZJ86CL r3eWbKWMQpUrmy6GGVOByROaGoo5/PBzcFq+66xQ1utVtHEp/4dtEau+iqU+BTat 54769j9aMKxKOdqs3hnl =Ft7+ -----END PGP SIGNATURE-----
