[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Sharutils and security
From: |
Paul Eggert |
Subject: |
Re: GNU Sharutils and security |
Date: |
Thu, 01 Jul 2004 11:24:36 -0700 |
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) |
"Bruno Haible" <address@hidden> writes:
> Therefore, how about removing shar and unshar from the sharutils, or
> splitting sharutils into a useful and harmless package and a
> separate security -killer package?
Good suggestion.
Perhaps the simplest way would be to revert the November 1994 change,
which merged GNU shar 4.0 and GNU uuencode 1.0 into GNU sharutils 4.1.
We could, for example, rename GNU sharutils back to GNU uuencode and
bump the version number, thus removing shar and unshar.
If simply removing shar and unshar is considered to be too drastic,
another possibility is to substitute a "safer" unshar, which doesn't
actually invoke the shell, but which verifies the input and only does
"safe" things. This would resemble the sort of security fixes that
have been installed into GNU tar over the past few years.
Once this is done, perhaps GNU shar should output scripts that start
like this:
#!/bin/sh
echo "Please do not use the shell to evalue this file; use GNU unshar instead."
echo "Otherwise you are leaving yourself wide open for security attacks"
echo "like Trojan horses, viruses, etc."
exit 1
However, all this would be some work (particularly the safer unshar).
- Re: GNU Sharutils and security, Bruno Haible, 2004/07/01
- Re: GNU Sharutils and security, Stepan Kasal, 2004/07/01
- Message not available
- Re: GNU Sharutils and security,
Paul Eggert <=
- Re: GNU Sharutils and security, Paul Jarc, 2004/07/01
- Re: GNU Sharutils and security, Bruce Korb, 2004/07/01
- Re: GNU Sharutils and security, Paul Eggert, 2004/07/02
- Re: GNU Sharutils and security, Bruce Korb, 2004/07/02
- Re: GNU Sharutils and security, Paul Jarc, 2004/07/02
- Re: GNU Sharutils and security, Stepan Kasal, 2004/07/02
Re: GNU Sharutils and security, Bruno Haible, 2004/07/16