Re: Path Hijack vulnerability

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Path Hijack vulnerability

From:	Richard Purdie
Subject:	Re: Path Hijack vulnerability
Date:	Wed, 03 Nov 2021 19:17:07 +0000
User-agent:	Evolution 3.40.4-1

On Wed, 2021-11-03 at 12:11 -0700, Paul Eggert wrote:
> On 11/3/21 07:21, Gregorio Giacobbe wrote:
> > The remediation would be to make sure that tar calls gzip by its absolute 
> > path.
> 
> Sure, just do this when building 'tar':
> 
> ./configure --with-gzip=/usr/bin/gzip
> 
> This resolves the issue.
> 
> I doubt whether we should make this configure-time option the default.

Please don't!

One of the issues we (as in the Yocto Project) run into a lot are hardcoded
paths and this would just be another one we'd have to configure out.

Cheers,

Richard

[Prev in Thread]

Current Thread

[Next in Thread]

Path Hijack vulnerability, Gregorio Giacobbe, 2021/11/03
- Re: Path Hijack vulnerability, Michał Górny, 2021/11/03
- Re: Path Hijack vulnerability, Paul Eggert, 2021/11/03
  - Re: Path Hijack vulnerability, Richard Purdie <=
- Re: Path Hijack vulnerability, Mike Frysinger, 2021/11/04

Prev by Date: Re: Path Hijack vulnerability
Next by Date: Re: Path Hijack vulnerability
Previous by thread: Re: Path Hijack vulnerability
Next by thread: Re: Path Hijack vulnerability
Index(es):
- Date
- Thread