[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] absolute and .. pathnames and symlinks that point outside the
[Bug-cpio] absolute and .. pathnames and symlinks that point outside the archive
Thu, 19 May 2005 00:57:02 -0700
OK, I am subscribed now. I was missing all the discussion. But I
looked in the archives and saw only a couple of posts.
IMHO this is really important. Is there generally low interest in
this topic, or is cpio simply not used much any more? In either case,
I seem to be in the minority. Strange.
I am curious why --no-absolute-pathnames does not work in cpio -o
mode, since most other archivers seem to let you store non-absolute
pathnames given absolute pathnames, or do so by default. (I think
afio, tar, pax, zip do.)
And I'm curious why my second exploit, with the symlinks that point to
did not generate any replies.
The Gentoo bug fix still leaves exploits, afaict:
dir/dir/../../../../../../../../etc/cron.daily/trojan would perhaps
still get through, and so perhaps would the symlink exploit.
- [Bug-cpio] absolute and .. pathnames and symlinks that point outside the archive,
t takahashi <=