[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside

From: t takahashi
Subject: Re: [Bug-cpio] absolute and .. pathnames and symlinks that point outside the archive
Date: Tue, 24 May 2005 14:28:27 -0700

On 5/24/05, Sergey Poznyakoff <address@hidden> wrote:
> t takahashi <address@hidden> wrote:
> > OK, I am subscribed now.
> Great. Nice to have you with us.
> > I am curious why --no-absolute-pathnames does not work in cpio -o
> > mode
> It does now. Please check out the CVS version to test. See

great!  this means that after it's propagated to cygwin and other systems,
cautious users can remove preprocessing like

  grep -v '^/$' | sed 's,^/,,' | (cd /; cpio -o ...)

and replace it with cpio -o --no-absolute....

> I have got no information on these. To the best of my knowledge, they have
> never been reported either to address@hidden or via bug-submission
> interface at http://savannah.gnu.org/bugs/?group=cpio. If you have any

weird.  they are in the archives.  you did not get?

i sent bug 306693 to debian and cc:ed to address@hidden
i then reported an exploit that is even worse (impossible to detect without -v
option)  to debian only.  i then noticed that nothing was happening
on bug-cpio archive and the server was being moved, so resent both to bug-cpio.
then after a while i sent the one you replied to.

recently i found the gentoo patch and some secunia thing,
both of which only seem to cover some of the issues.  various archivers have
been slowly fixing some of the issues, but not all of them.

i was kind of surprised at no response from anybody anywhere at debian or
bug-cpio.  so i was wondering if i was the last cpio user outside rpm:-).

reply via email to

[Prev in Thread] Current Thread [Next in Thread]