On Fri, Feb 29, 2008 at 09:30:16PM +0100, Florian Weimer wrote: > * Ben Finney: > > It's no security risk to unpack a tarball, apply a patch to it via GNU > > 'patch', and examine the result. > > History should tell you that this is not true. 8-) I can even understand > people who state that GNU tar should never be used to uncompress > tarballs from untrusted sources, and we therefore do not need to provide > security support for it, but this is going a bit too far for my taste. > > But my point really is: Please do do not use potential security issues > as arguments. The overall situation is sufficiently bad that this can > be used to prove *anything*.
I think the difference between the occasional vulnerability in GNU tar and a system that is designed to operate by executing arbitrary marginally-trusted code is, erm, rather significant. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
