[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, May 16, 2002 at 12:43:45AM +0200, Hilko Bengen wrote:
> Tim Bell <bhat@trinity.unimelb.edu.au> writes:
> > For decompressors which can operate in a pipe (like bzip2, gzip), is
> > there anything much wrong with doing the decompressing something
> > like this:
> > 
> >     $ cat $TMPFILE | bzcat | head -c $SIZELIMIT > $TMPFILEOUT
> > 
> > ?  
> No. That is exactly what AMaViS-ng does. And security is the reason
> why AMaViS-ng only supports unpacking programs that can unpack things
> to stdout.

Actually, I think there is.  It makes it possible to hide a virus in
the part of the archive beyond $SIZELIMIT.  It would be better to reject
the attachment if it is too large to scan.

Richard Braakman

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: