[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside
From: |
Sergey Poznyakoff |
Subject: |
Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside the archive |
Date: |
Tue, 24 May 2005 19:51:19 +0300 |
t takahashi <address@hidden> wrote:
> OK, I am subscribed now.
Great. Nice to have you with us.
> I am curious why --no-absolute-pathnames does not work in cpio -o
> mode
It does now. Please check out the CVS version to test. See
http://savannah.gnu.org/cvs/?group=cpio for generic info on how to do
that, then read file README-alpha for cpio-specific
information. Building from CVS tree requires some special tools and
experience, so if you prefer to not waste your time/efforts to acquire
these, just let me know and I'll prepare a tarball for you.
> And I'm curious why my second exploit, with the symlinks that point to
> ../../../../../../../etc/cron.daily/trojan,
> did not generate any replies.
>
> The Gentoo bug fix still leaves exploits, afaict:
> dir/dir/../../../../../../../../etc/cron.daily/trojan would perhaps
> still get through, and so perhaps would the symlink exploit.
I have got no information on these. To the best of my knowledge, they have
never been reported either to address@hidden or via bug-submission
interface at http://savannah.gnu.org/bugs/?group=cpio. If you have any
bugs/fixes/propositions to report, please do this via one of these
channels. They are the only two ways your information can reach cpio
maintainer.
Regards,
Sergey