[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#20104: [PATCH] gzip: make the GZIP env var obsolescent
|
From: |
Mark Adler |
|
Subject: |
bug#20104: [PATCH] gzip: make the GZIP env var obsolescent |
|
Date: |
Sun, 15 Mar 2015 09:39:34 -0700 |
All,
Might it be better to protect against the vulnerability, instead of deep-sixing
the entire capability out of fear? You could allow only compression level
options in the environment variable, which I think was its main intent in the
first place.
Mark
On Mar 13, 2015, at 7:20 PM, Paul Eggert <address@hidden> wrote:
> Attached is a proposed patch to make the GZIP environment variable
> obsolescent, for the same reason we're making GREP_OPTIONS obsolescent: it's
> too much opportunity for trouble. For example, with a suitably crafted GZIP
> environment variable I can cause 'gzip' to remove files.
> <0001-gzip-make-the-GZIP-env-var-obsolescent.patch>
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Paul Eggert, 2015/03/13
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Jim Meyering, 2015/03/15
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent,
Mark Adler <=
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Paul Eggert, 2015/03/15
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Jim Meyering, 2015/03/15
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Paul Eggert, 2015/03/16
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Jim Meyering, 2015/03/17
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Paul Eggert, 2015/03/17
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Jim Meyering, 2015/03/18
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Paul Eggert, 2015/03/18
- bug#20104: [PATCH] gzip: make the GZIP env var obsolescent, Jim Meyering, 2015/03/18