(essentially the same as the unzip vulnerability CAN-2005-0602 except that it only works against the root user) ================================ tar preserves setuid bit ================================ Software: tar Version: 1.15.1 Software URL: <www.gnu.org/software/tar/tar.html> Platform: Unix, Linux. Severity: Medium Vulnerable software ==================== tar 1.15.1 and previous versions running on unix. Vulnerability ============== If running as the root user tar restores the original permissions to extracted files, this includes the setuid bit. No warning is given to the user that this has happened. The default behaviour of tar under root is not to change ownership of the file to root. However owner information is extracted from the tar file, so a trivialy modified tar file can ensure the owner of the extracted files is the root user. This allows for the creation of arbitary setuid executable owned by the root user if the root user extracts the files from a malliciously crafted tar file. --- Imran Ghory
