[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Path Hijack vulnerability

From: Paul Eggert
Subject: Re: Path Hijack vulnerability
Date: Wed, 3 Nov 2021 12:11:36 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0

On 11/3/21 07:21, Gregorio Giacobbe wrote:
The remediation would be to make sure that tar calls gzip by its absolute path.

Sure, just do this when building 'tar':

./configure --with-gzip=/usr/bin/gzip

This resolves the issue.

I doubt whether we should make this configure-time option the default. There are are significant advantages to not using an absolute file name in situations like these. The "path hijack vulnerability" is not a real vulnerability in practice; as Michał mentioned, anyone who can hijack "gzip" can simply hijack "tar" in the first place.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]