[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to cope with patches sanely

On Fri, Feb 29, 2008 at 09:30:16PM +0100, Florian Weimer wrote:
> * Ben Finney:
> > It's no security risk to unpack a tarball, apply a patch to it via GNU
> > 'patch', and examine the result.
> History should tell you that this is not true. 8-) I can even understand
> people who state that GNU tar should never be used to uncompress
> tarballs from untrusted sources, and we therefore do not need to provide
> security support for it, but this is going a bit too far for my taste.
> But my point really is: Please do do not use potential security issues
> as arguments.  The overall situation is sufficiently bad that this can
> be used to prove *anything*.

I think the difference between the occasional vulnerability in GNU tar
and a system that is designed to operate by executing arbitrary
marginally-trusted code is, erm, rather significant.

Colin Watson                                       [cjwatson@debian.org]

Reply to: