From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Mike Kupfer <mkupfer@alum.berkeley.edu>
Newsgroups: gmane.emacs.bugs
Subject: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files
Date: Sat, 04 Mar 2017 16:01:51 -0800
Message-ID: <6062.1488672111@alto>
References: <3061.1486093822@alto>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Trace: blaine.gmane.org 1488672134 26551 195.159.176.226 (5 Mar 2017 00:02:14 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sun, 5 Mar 2017 00:02:14 +0000 (UTC)
Cc: 25611@debbugs.gnu.org, ohwoeowho@gmail.com
To: Glenn Morris <rgm@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Mar 05 01:02:09 2017
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1ckJcl-0006AS-0E
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 05 Mar 2017 01:02:07 +0100
Original-Received: from localhost ([::1]:37070 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1ckJcr-0005yd-6S
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 04 Mar 2017 19:02:13 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49547)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ckJcl-0005xv-AN
	for bug-gnu-emacs@gnu.org; Sat, 04 Mar 2017 19:02:08 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ckJcg-0000DQ-Iz
	for bug-gnu-emacs@gnu.org; Sat, 04 Mar 2017 19:02:07 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:42195)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ckJcg-0000DD-DC
	for bug-gnu-emacs@gnu.org; Sat, 04 Mar 2017 19:02:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ckJcg-0004pX-4H
	for bug-gnu-emacs@gnu.org; Sat, 04 Mar 2017 19:02:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Mike Kupfer <mkupfer@alum.berkeley.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 05 Mar 2017 00:02:02 +0000
Resent-Message-ID: <handler.25611.B25611.148867211718555@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 25611
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 25611-submit@debbugs.gnu.org id=B25611.148867211718555
	(code B ref 25611); Sun, 05 Mar 2017 00:02:02 +0000
Original-Received: (at 25611) by debbugs.gnu.org; 5 Mar 2017 00:01:57 +0000
Original-Received: from localhost ([127.0.0.1]:40394 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ckJcb-0004pD-H6
	for submit@debbugs.gnu.org; Sat, 04 Mar 2017 19:01:57 -0500
Original-Received: from shell1.rawbw.com ([198.144.192.42]:55167 ident=root)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <mkupfer@alum.berkeley.edu>) id 1ckJca-0004p5-Af
	for 25611@debbugs.gnu.org; Sat, 04 Mar 2017 19:01:56 -0500
Original-Received: from alto (m208-249.dsl.rawbw.com [198.144.208.249])
	by shell1.rawbw.com (8.15.1/8.15.1) with ESMTP id v2501p4K072600;
	Sat, 4 Mar 2017 16:01:52 -0800 (PST)
	(envelope-from mkupfer@alum.berkeley.edu)
X-Authentication-Warning: shell1.rawbw.com: Host m208-249.dsl.rawbw.com
	[198.144.208.249] claimed to be alto
In-Reply-To: Your message of "Fri, 03 Feb 2017 12:42:18 -0500."
	<hslgtnjhmt.fsf@fencepost.gnu.org>
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.2.1
Content-ID: <6061.1488672111.1@alto>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:130201
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/130201>

Glenn Morris wrote:

> Looks like this was added in https://debbugs.gnu.org/20384#11 ?
> I've cc'd the author of that change.

Thanks.

It occurs to me that this could be considered a security vulnerability.
If the .tgz file is (unintentionally) unpacked in $HOME and contains a
.ssh/authorized_keys, that could give an attacker access to the victim's
account.

mike