> > Likewise, having a "hardened" config.guess file would not necessarily > > prevent symlink attacks, but it'll definitely make it much harder for an > > attacker to exploit it, even if the admin is sloppy. > >An attacker is hardly likely to distribute a "hardened" config.guess
Of course the attacker won't distribute a hardened config.guess. But look at my attack example shown in my reply to Allan's mail: http://mail.gnu.org/pipermail/automake/2002-June/011190.html That attack does *not* require an attacker to distribute a hardened config.guess, or change the original source code of the package in any way. Lawrence _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com