Re: Path Hijack vulnerability

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Path Hijack vulnerability

From:	Paul Eggert
Subject:	Re: Path Hijack vulnerability
Date:	Wed, 3 Nov 2021 12:11:36 -0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0

On 11/3/21 07:21, Gregorio Giacobbe wrote:

The remediation would be to make sure that tar calls gzip by its absolute path.


Sure, just do this when building 'tar':

./configure --with-gzip=/usr/bin/gzip

This resolves the issue.

I doubt whether we should make this configure-time option the default.There are are significant advantages to not using an absolute file namein situations like these. The "path hijack vulnerability" is not a realvulnerability in practice; as Michał mentioned, anyone who can hijack"gzip" can simply hijack "tar" in the first place.

[Prev in Thread]

Current Thread

[Next in Thread]

Path Hijack vulnerability, Gregorio Giacobbe, 2021/11/03
- Re: Path Hijack vulnerability, Michał Górny, 2021/11/03
- Re: Path Hijack vulnerability, Paul Eggert <=
  - Re: Path Hijack vulnerability, Richard Purdie, 2021/11/03
- Re: Path Hijack vulnerability, Mike Frysinger, 2021/11/04

Prev by Date: Re: Path Hijack vulnerability
Next by Date: Re: Path Hijack vulnerability
Previous by thread: Re: Path Hijack vulnerability
Next by thread: Re: Path Hijack vulnerability
Index(es):
- Date
- Thread