Re: git-annex security update ready for testing and review
On 2018-09-06 15:42:41, Joey Hess wrote:
> Antoine Beaupré wrote:
>> I'm now more confident the patchset is complete. There are one tiny bit
>> I'm still slightly unsure of. In Command.Reinject.perform, there was a
>> `boolSystem "mv"` call lying around that was turned into a `moveFile`
>> some time between the jessie version and 2fb3722ce. I figured this was
>> the last instance of such an "mv" call and that moveFile does what it's
>> supposed to do in the jessie version. So to avoid any compiler mishaps,
>> I figured I would just use moveFile there but I'm not certain of the
>> implications.
>
> I don't think this change was strictly necessary, but I do think it's correct.
>
>> I'm also wondering if there are reproducers for those vulnerabilities so
>> that I can test the new packages to see if they actually fix the
>> problems.
>
> No, I don't have any. You can test downloads from localhost and non-http
> url schemes to make sure they're blocked.
>
>> So I've uploaded the test packages to my repository again:
>>
>> https://people.debian.org/~anarcat/debian/jessie-lts/
>>
>> This time, testing would be greatly appreciated. And of course, a review
>> of the patchset would be great as well.
>
> I've looked over the patchset and nothing stands out to me as a problem,
> but it is of course a big patchset against a very old version so it
> would be easy to miss something.
Thanks so much for the review (and the quote on your devblog, btw! :). I
understand it's a huge patch and I'm of course not asking for any
warranties. Just having an extra pair of eyes on this is great in any
case.
Cheers!
A.
--
The fundamental cause of the trouble is that in the modern world the
stupid are cocksure while the intelligent are full of doubt.
- Bertrand Russell, The Triumph of Stupidity, 1933
Reply to: