This is the mail archive of the automake@gnu.org mailing list for the automake project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Security vulnerability in automake

From: "Lawrence Teo" <lteo_list at hotmail dot com>
To: berndj at prism dot co dot za
Cc: allanc at caldera dot com, automake at gnu dot org
Date: Fri, 07 Jun 2002 21:03:33 -0400
Subject: Re: Security vulnerability in automake
Bcc:

> Likewise, having a "hardened" config.guess file would not necessarily
> prevent symlink attacks, but it'll definitely make it much harder for an
> attacker to exploit it, even if the admin is sloppy.

An attacker is hardly likely to distribute a "hardened" config.guess

Of course the attacker won't distribute a hardened config.guess. But look at my attack example shown in my reply to Allan's mail:

http://mail.gnu.org/pipermail/automake/2002-June/011190.html

That attack does *not* require an attacker to distribute a hardened config.guess, or change the original source code of the package in any way.

Lawrence

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]