Boost logo

Boost :

From: Daryle Walker (darylew_at_[hidden])
Date: 2004-12-21 00:34:13


On 12/20/04 9:01 PM, "Rene Rivera" <grafik.list_at_[hidden]>
wrote:

> Daryle Walker wrote:
>
>> I dislike the idea of executable-wrapped archives in general. You
>> only have a creator's word that the file isn't actually a Trojan
>> and/or infected with a virus. (Even a trustworthy creator may get
>> overridden by a cracker's altered archives.)
>
> That is true regardless of type of archive. The source archives are just
> as susceptible to tampering as the executable ones. And such tampering
> has occurred in other open source distributed material.
[TRUNCATE the rest as checksumming doesn't affect whether or not embedded
extraction code is a good idea.]

But standard archive formats are not executable in and of themselves.
Expanding a passive archive won't initiate any attack vectors for mal-ware.
An archive with executable code attached adds a potential attack vector with
dubious benefit. (The real problem is that the OP's un-zipper sucked
performance-wise, but an embedded one may be just as bad. The fix is to use
a better extractor.)

Whether or not the files _within_ the archive have been perverted is a
separate matter from what I originally talked about.

-- 
Daryle Walker
Mac, Internet, and Video Game Junkie
darylew AT hotmail DOT com

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk