t takahashi <[EMAIL PROTECTED]> wrote: > OK, I am subscribed now.
Great. Nice to have you with us. > I am curious why --no-absolute-pathnames does not work in cpio -o > mode It does now. Please check out the CVS version to test. See http://savannah.gnu.org/cvs/?group=cpio for generic info on how to do that, then read file README-alpha for cpio-specific information. Building from CVS tree requires some special tools and experience, so if you prefer to not waste your time/efforts to acquire these, just let me know and I'll prepare a tarball for you. > And I'm curious why my second exploit, with the symlinks that point to > ../../../../../../../etc/cron.daily/trojan, > did not generate any replies. > > The Gentoo bug fix still leaves exploits, afaict: > dir/dir/../../../../../../../../etc/cron.daily/trojan would perhaps > still get through, and so perhaps would the symlink exploit. I have got no information on these. To the best of my knowledge, they have never been reported either to [email protected] or via bug-submission interface at http://savannah.gnu.org/bugs/?group=cpio. If you have any bugs/fixes/propositions to report, please do this via one of these channels. They are the only two ways your information can reach cpio maintainer. Regards, Sergey _______________________________________________ Bug-cpio mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-cpio
