Re: How to cope with patches sanely

To: debian-devel@lists.debian.org
Subject: Re: How to cope with patches sanely
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 2 Mar 2008 00:27:06 +0000
Message-id: <[🔎] 20080302002706.GA5030@riva.ucam.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <871w6vqzdz.fsf@mid.deneb.enyo.de>
References: <87sl0i6sf0.fsf@benfinney.id.au> <20080129014103.GA16484@scowler.net> <20080130172152.GA20648@kodama.kitenet.net> <200801310919.34389.seanius@debian.org> <87ir1akvk6.fsf@benfinney.id.au> <871w6vqzdz.fsf@mid.deneb.enyo.de>

On Fri, Feb 29, 2008 at 09:30:16PM +0100, Florian Weimer wrote:
> * Ben Finney:
> > It's no security risk to unpack a tarball, apply a patch to it via GNU
> > 'patch', and examine the result.
> 
> History should tell you that this is not true. 8-) I can even understand
> people who state that GNU tar should never be used to uncompress
> tarballs from untrusted sources, and we therefore do not need to provide
> security support for it, but this is going a bit too far for my taste.
> 
> But my point really is: Please do do not use potential security issues
> as arguments.  The overall situation is sufficiently bad that this can
> be used to prove *anything*.

I think the difference between the occasional vulnerability in GNU tar
and a system that is designed to operate by executing arbitrary
marginally-trusted code is, erm, rather significant.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Prev by Date: Re: Bug#467249: man-db/groff and locales
Next by Date: Re: (user)tagging wnpp bugs
Previous by thread: Re: How to cope with patches sanely
Next by thread: Re: How to cope with patches sanely
Index(es):
- Date
- Thread