> > Likewise, having a "hardened" config.guess file would not necessarily
> > prevent symlink attacks, but it'll definitely make it much harder for an
> > attacker to exploit it, even if the admin is sloppy.
>
>An attacker is hardly likely to distribute a "hardened" config.guess

Of course the attacker won't distribute a hardened config.guess. But look at 
my attack example shown in my reply to Allan's mail:

http://mail.gnu.org/pipermail/automake/2002-June/011190.html

That attack does *not* require an attacker to distribute a hardened 
config.guess, or change the original source code of the package in any way.

Lawrence

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


Reply via email to