[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: upload processing resumed

On 13054 March 1977, Yves-Alexis Perez wrote:
>> All our commits are open and get to the -dak list too.
>> The basic summary is "really old code that needs to be replaced,
>> really". In this case - a possible attack using the help of shell
>> metacharacters by a specially prepared filename due to not checking if
>> such characters are in the filename AND using perls open function in the
>> way it lets shell help it.
 
>> My quick fix only ensured we don't have meta characters, Ansgar invested
>> some more time and rewrote the code in question much more. And fixed a
>> number of other issues too. For details there: read the commits. :)

> Is dak is present in a “released” state somewhere? Do other people use
> those releases? Meaning, should we ask for a CVE for this?

No, no and no.

We have git. We have people use that, thats for sure. Checked out at
various dates. I don't think thats something a CVE should be issued
for. Though I won't block it if someone does, but the only thing you can
do is "anything before commit XY, update with the latest".

I really hope (and we silently somehow assume) that those who use dak
are following at least debian-dak@lists.debian.org.

-- 
bye, Joerg
Maybe, just once, someone will call me 'Sir' without adding, 'You're
making a scene.'
Reply to: