[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside

From: Sergey Poznyakoff
Subject: Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside the archive
Date: Tue, 24 May 2005 19:51:19 +0300

t takahashi <address@hidden> wrote:

> OK, I am subscribed now.

Great. Nice to have you with us.

> I am curious why --no-absolute-pathnames does not work in cpio -o
> mode

It does now. Please check out the CVS version to test. See
http://savannah.gnu.org/cvs/?group=cpio for generic info on how to do
that, then read file README-alpha for cpio-specific
information. Building from CVS tree requires some special tools and
experience, so if you prefer to not waste your time/efforts to acquire
these, just let me know and I'll prepare a tarball for you.

> And I'm curious why my second exploit, with the symlinks that point to
> ../../../../../../../etc/cron.daily/trojan,
> did not generate any replies.
> The Gentoo bug fix still leaves exploits, afaict:
> dir/dir/../../../../../../../../etc/cron.daily/trojan would perhaps
> still get through, and so perhaps would the symlink exploit.

I have got no information on these. To the best of my knowledge, they have
never been reported either to address@hidden or via bug-submission
interface at http://savannah.gnu.org/bugs/?group=cpio. If you have any
bugs/fixes/propositions to report, please do this via one of these
channels. They are the only two ways your information can reach cpio


reply via email to

[Prev in Thread] Current Thread [Next in Thread]