Re: How to cope with patches sanely
On Fri, Feb 29, 2008 at 09:30:16PM +0100, Florian Weimer wrote:
> * Ben Finney:
> > It's no security risk to unpack a tarball, apply a patch to it via GNU
> > 'patch', and examine the result.
> History should tell you that this is not true. 8-) I can even understand
> people who state that GNU tar should never be used to uncompress
> tarballs from untrusted sources, and we therefore do not need to provide
> security support for it, but this is going a bit too far for my taste.
> But my point really is: Please do do not use potential security issues
> as arguments. The overall situation is sufficiently bad that this can
> be used to prove *anything*.
I think the difference between the occasional vulnerability in GNU tar
and a system that is designed to operate by executing arbitrary
marginally-trusted code is, erm, rather significant.
Colin Watson [email@example.com]