All, Might it be better to protect against the vulnerability, instead of deep-sixing the entire capability out of fear? You could allow only compression level options in the environment variable, which I think was its main intent in the first place.
Mark On Mar 13, 2015, at 7:20 PM, Paul Eggert <egg...@cs.ucla.edu> wrote: > Attached is a proposed patch to make the GZIP environment variable > obsolescent, for the same reason we're making GREP_OPTIONS obsolescent: it's > too much opportunity for trouble. For example, with a suitably crafted GZIP > environment variable I can cause 'gzip' to remove files. > <0001-gzip-make-the-GZIP-env-var-obsolescent.patch>
