From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Oleh Krehel Newsgroups: gmane.emacs.bugs Subject: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files Date: Mon, 6 Mar 2017 11:53:15 +0100 Message-ID: References: <6062.1488672111@alto> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: blaine.gmane.org 1488797655 464 195.159.176.226 (6 Mar 2017 10:54:15 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 6 Mar 2017 10:54:15 +0000 (UTC) Cc: 25611@debbugs.gnu.org To: Mike Kupfer Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Mar 06 11:54:07 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckqHG-0007xW-JB for geb-bug-gnu-emacs@m.gmane.org; Mon, 06 Mar 2017 11:54:06 +0100 Original-Received: from localhost ([::1]:42873 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckqHM-0007gn-J4 for geb-bug-gnu-emacs@m.gmane.org; Mon, 06 Mar 2017 05:54:12 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43664) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckqHG-0007gh-M7 for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 05:54:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckqHC-0005Z6-K6 for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 05:54:06 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:43558) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ckqHC-0005Z2-Gd for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 05:54:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ckqHC-00060m-1K for bug-gnu-emacs@gnu.org; Mon, 06 Mar 2017 05:54:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Oleh Krehel Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 06 Mar 2017 10:54:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25611 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 25611-submit@debbugs.gnu.org id=B25611.148879760322978 (code B ref 25611); Mon, 06 Mar 2017 10:54:01 +0000 Original-Received: (at 25611) by debbugs.gnu.org; 6 Mar 2017 10:53:23 +0000 Original-Received: from localhost ([127.0.0.1]:41757 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckqGZ-0005yX-3S for submit@debbugs.gnu.org; Mon, 06 Mar 2017 05:53:23 -0500 Original-Received: from mail-oi0-f47.google.com ([209.85.218.47]:33515) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckqGX-0005yM-Vd for 25611@debbugs.gnu.org; Mon, 06 Mar 2017 05:53:22 -0500 Original-Received: by mail-oi0-f47.google.com with SMTP id 2so82712134oif.0 for <25611@debbugs.gnu.org>; Mon, 06 Mar 2017 02:53:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jkuQwqawoMcFEVQJORLVPOVJvwJvfqSHmg7JB/W7+bE=; b=HzxOcWHPD2GfhHpCLmCBZ0rptsEeuMzQkGPkZuOwnPy2xln6i8TSGV1MyDV3E6iyW2 ODJjuWlCF8BT6YTIGmSajtJWN2tLWloTK3L2w7BbMC8wFUmzOVamc+dfxI+YFkQw5o9W Z/2Jg++MXi+f8nv7MxSZqi9hnnzq8xjR3RucGeEoIfR+LjO8n45w1DtAO0M557eGDS7Z L9yny8wz2PXtL3EIjS53Qsmgmj+wp5jN+CZ7Alwo6iO7JYoqNoucNMR2OdEM7cxnLRUO Hh72nuvEorG2Dir2G/1mEii6PnAjl8jMVyp5wILIEOJV8eyr7uJU+qLp0ybOaa3q8G1m DBlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jkuQwqawoMcFEVQJORLVPOVJvwJvfqSHmg7JB/W7+bE=; b=BWD+7xOblH2iwl9Y3Ok9Lt/5OAw8jTzPDPyDuF/O+v8AHegRD213JKVUvbEHNOFao9 4HqFIW+L/Ur3Mm5PUpzfBOqzn1UnxAvICacUuVbn3Du3a0f/5BHb6gNbVmzgY3mh9orG 1Ed4+LC/BmrU23xMP3XekAshQHJhFiXFvYkkZC5nbJVFgfSw7JrnPMPoj39+RHo4phAQ CZqs5x6HxYm/J/AfB1GRaD1j/7jPZv1J4LqB1q9vSA6eDguXcEQgIjNkFhrO3q9w3t4D /qap1oLQc0lYezgGWTPxJjt8yRNgll9gG5uSLX5FE/k+fKyO2YxAhOZ0/NYEXOTnizPg xxBw== X-Gm-Message-State: AMke39mAAAvn5wCvzexQTBYFAORnqsVE4TpfswmOYlDxnvbEZ4NBiCTygymm23y0DCwBIknfTkSvTFjUgVWQbA== X-Received: by 10.202.68.132 with SMTP id r126mr5749678oia.32.1488797596187; Mon, 06 Mar 2017 02:53:16 -0800 (PST) Original-Received: by 10.202.169.209 with HTTP; Mon, 6 Mar 2017 02:53:15 -0800 (PST) In-Reply-To: <6062.1488672111@alto> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:130245 Archived-At: Hi Mike, > It occurs to me that this could be considered a security vulnerability. > If the .tgz file is (unintentionally) unpacked in $HOME and contains a > .ssh/authorized_keys, that could give an attacker access to the victim's > account. The file is uncompressed into a directory with the same name. So the file would have to be ~/.ssh.tar.gz. If a user presses "Z" on that file, it's pretty clear what will happen, same as with "C" on e.g. an `authorized_keys' file somewhere. regards, Oleh