On 11/3/21 07:21, Gregorio Giacobbe wrote:
The remediation would be to make sure that tar calls gzip by its absolute path.
Sure, just do this when building 'tar':
./configure --with-gzip=/usr/bin/gzip
This resolves the issue.
I doubt whether we should make this configure-time option the default.
There are are significant advantages to not using an absolute file name
in situations like these. The "path hijack vulnerability" is not a real
vulnerability in practice; as Michał mentioned, anyone who can hijack
"gzip" can simply hijack "tar" in the first place.