[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Path Hijack vulnerability
From: |
Richard Purdie |
Subject: |
Re: Path Hijack vulnerability |
Date: |
Wed, 03 Nov 2021 19:17:07 +0000 |
User-agent: |
Evolution 3.40.4-1 |
On Wed, 2021-11-03 at 12:11 -0700, Paul Eggert wrote:
> On 11/3/21 07:21, Gregorio Giacobbe wrote:
> > The remediation would be to make sure that tar calls gzip by its absolute
> > path.
>
> Sure, just do this when building 'tar':
>
> ./configure --with-gzip=/usr/bin/gzip
>
> This resolves the issue.
>
> I doubt whether we should make this configure-time option the default.
Please don't!
One of the issues we (as in the Yocto Project) run into a lot are hardcoded
paths and this would just be another one we'd have to configure out.
Cheers,
Richard