COMMAND

    gtar

SYSTEMS AFFECTED

    Systems running GNU tar

PROBLEM

    GNU tar  is lazy  about file  creation modes  and file owners when
    unpacking a tar file.  Because GNU tar defaults to creating  files
    owned by the userid running tar when the username is not found  on
    your system,  it can  be possible  to inadvertantly  create setuid
    root programs.

    Ben Elliston, who discovered it, give us an example:

        On machine A,  as user "fred"  (uid doesn't matter),  use gtar
        to create  a tar  file of  the directory  ~/files.  Inside the
        subdirectory, place  a copy  of /bin/bash  and, as  fred, make
        the program setuid fred (the mode 4755 works well).

        Set the tar file to someone on machine B where the user "fred"
        does not exist and  have them unpack the  directory somewhere.
        Since "fred"  does not  exist on  machine B  and gtar is being
        run as root, you  have created a world-executable  setuid-root
        shell.

SOLUTION

    Well, don't use gtar.  Tar works fine as well.