[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside
Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside the archive
Tue, 24 May 2005 14:28:27 -0700
On 5/24/05, Sergey Poznyakoff <address@hidden> wrote:
> t takahashi <address@hidden> wrote:
> > OK, I am subscribed now.
> Great. Nice to have you with us.
> > I am curious why --no-absolute-pathnames does not work in cpio -o
> > mode
> It does now. Please check out the CVS version to test. See
great! this means that after it's propagated to cygwin and other systems,
cautious users can remove preprocessing like
grep -v '^/$' | sed 's,^/,,' | (cd /; cpio -o ...)
and replace it with cpio -o --no-absolute....
> I have got no information on these. To the best of my knowledge, they have
> never been reported either to address@hidden or via bug-submission
> interface at http://savannah.gnu.org/bugs/?group=cpio. If you have any
weird. they are in the archives. you did not get?
i sent bug 306693 to debian and cc:ed to address@hidden
i then reported an exploit that is even worse (impossible to detect without -v
option) to debian only. i then noticed that nothing was happening
on bug-cpio archive and the server was being moved, so resent both to bug-cpio.
then after a while i sent the one you replied to.
recently i found the gentoo patch and some secunia thing,
both of which only seem to cover some of the issues. various archivers have
been slowly fixing some of the issues, but not all of them.
i was kind of surprised at no response from anybody anywhere at debian or
bug-cpio. so i was wondering if i was the last cpio user outside rpm:-).