On Fri, Feb 29, 2008 at 09:30:16PM +0100, Florian Weimer wrote:
> * Ben Finney:
> > It's no security risk to unpack a tarball, apply a patch to it via GNU
> > 'patch', and examine the result.
> 
> History should tell you that this is not true. 8-) I can even understand
> people who state that GNU tar should never be used to uncompress
> tarballs from untrusted sources, and we therefore do not need to provide
> security support for it, but this is going a bit too far for my taste.
> 
> But my point really is: Please do do not use potential security issues
> as arguments.  The overall situation is sufficiently bad that this can
> be used to prove *anything*.

I think the difference between the occasional vulnerability in GNU tar
and a system that is designed to operate by executing arbitrary
marginally-trusted code is, erm, rather significant.

-- 
Colin Watson                                       [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to