GNU bug report logs - #20104
[PATCH] gzip: make the GZIP env var obsolescent

Previous Next

Package: gzip;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Sat, 14 Mar 2015 02:21:01 UTC

Severity: normal

Tags: patch

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Mark Adler <madler <at> alumni.caltech.edu>
To: Paul Eggert <eggert <at> CS.UCLA.EDU>
Cc: 20104 <at> debbugs.gnu.org
Subject: bug#20104: [PATCH] gzip: make the GZIP env var obsolescent
Date: Sun, 15 Mar 2015 09:39:34 -0700

All,

Might it be better to protect against the vulnerability, instead of deep-sixing the entire capability out of fear?  You could allow only compression level options in the environment variable, which I think was its main intent in the first place.

Mark

On Mar 13, 2015, at 7:20 PM, Paul Eggert <eggert <at> CS.UCLA.EDU> wrote:
> Attached is a proposed patch to make the GZIP environment variable obsolescent, for the same reason we're making GREP_OPTIONS obsolescent: it's too much opportunity for trouble.  For example, with a suitably crafted GZIP environment variable I can cause 'gzip' to remove files.
> <0001-gzip-make-the-GZIP-env-var-obsolescent.patch>

This bug report was last modified 9 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #20104 [PATCH] gzip: make the GZIP env var obsolescent

GNU bug report logs - #20104
[PATCH] gzip: make the GZIP env var obsolescent