[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sharutils: Directory traversal (security issue) in uudecode

From: Paul Eggert
Subject: Re: sharutils: Directory traversal (security issue) in uudecode
Date: Sun, 27 Nov 2022 09:30:11 -0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2

On 2022-11-27 07:57, Hanno Böck wrote:

I want to report a security issue in the uudecode commandline tool that
is part of sharutils.

POSIX requires the current behavior and it's been that way for ages without actual problems being reported. So one possibility is to merely document the situation.

Another possibility is to do as GNU 'tar' does, and warn about dubious file names starting with '/' or '~', while stripping leading prefixes (including anything ending in ".."), while retaining the current behavior if POSIXLY_CORRECT is set. uudecode could steal tar's code to do that.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]