Florian Weimer wrote:
> unshar archives are unchecked mobile code anyway, so this is not a
> security problem at all.
Hmm, that sucks, I assumed it had been rewritten to extract shell
archives w/o actually executing them at some point in the past 15 or 20
years. Should have big warnings not to run
* Joey Hess:
> Exploitation of this problem would seem to be limited to systems that
> take arbitrary files, perhaps uploaded via ftp, and run unshar on them.
unshar archives are unchecked mobile code anyway, so this is not a
security problem at all.
(A similar bug in shar could be considered di
On Tue, 29 Mar 2005, Joey Hess wrote:
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: normal
> Tags: security
>
> [EMAIL PROTECTED]:/tmp>unshar `perl -e 'print "A"x1500'`/tmp/testing
> [...]
>
> This buffer overflow was apparently discovered by gentoo developers, see
> http://bugs.gentoo.
Package: sharutils
Version: 1:4.2.1-11
Severity: normal
Tags: security
[EMAIL PROTECTED]:/tmp>unshar `perl -e 'print "A"x1500'`/tmp/testing
AA/tmp/testing:
/tmp/
4 matches
Mail list logo
