Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 Jan 2023 15:09:08 -0800
From: Alan Coopersmith <>
        Hanno Böck
Subject: Re: Directory traversal in sharutils/uudecode and
 python uu module

On 12/21/22 10:42, Hanno Böck wrote:
> If one can convince someone with root privileges to decode such a file
> this may thus compromise a system.

Fortunately, the easiest exploit path was mostly removed decades ago:

> I got a reply confirming the report from the sharutils developers,
> pointing out that this can be interpreted as expected behavior
> according to the posix standard. I don't expect a fix any time soon,
> their latest release is from 2015.

I started a discussion on the Austin Group mailing list to see if the
standard should be updated, but the argument has mostly leaned towards
"users should either use -o to specify output or look at files before
  uudecoding them" (along with suggestions to drop these utilities from
the standard now in favor of base64 encoding utilities).

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.