Back in January of 2005, Joey Hess pointed out in a bug report against Debian's package of tar that's actually an enhancement request, and as I clean up my open bug list in preparation for the next Debian release I realized we never passed it along.
The concern expressed is that tar is vulnerable to potential phishing attacks because the rmt support doesn't require a slash after the colon, and thus what's intended to be used for a path name could in theory be used to enable a network exploit. More details in the bug log at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=290435 I have to admit that I can't remember the last time I actually used the rmt support... today it seems so much more obvious to pipe things over an ssh connection, etc? Any thoughts on whether to take any action on this now, and if so, what, would be appreciated. Regards, Bdale
signature.asc
Description: PGP signature
