On Wed, 21 Nov 2001, Guillaume Morin wrote: > Dans un message du 20 nov à 23:33, Anders Gjære écrivait : > > > > in gzip.c > > > > the line: > > strcpy(nbuf,dir); > > > > should maybe be replaced with: > > strncpy(nbuf, dir,sizeof(nbuf)); > > gzip runs with user privileges, therefore this is not a security > problem. >
That is extremely sill and short sighted. What happens if root runs gzip, for example root unzipping a tar ball for some new software. To say it runs at user privileges *does not* stop it being a security problem. Benno
