Re: RFS: isomaster

To: debian-mentors@lists.debian.org
Subject: Re: RFS: isomaster
From: "Bernhard R. Link" <brlink@debian.org>
Date: Sun, 18 Mar 2007 12:48:13 +0100
Message-id: <[🔎] 20070318114812.GA8097@pcpool00.mathematik.uni-freiburg.de>
Mail-followup-to: debian-mentors@lists.debian.org
In-reply-to: <[🔎] 200703171706.54271.dj@david-web.co.uk>
References: <[🔎] 200703171624.48729.dj@david-web.co.uk> <[🔎] 200703171706.54271.dj@david-web.co.uk>

* David Johnson <dj@david-web.co.uk> [070317 18:07]:
> On Saturday 17 March 2007 16:24, I wrote:
> >
> > I'll need to look into the CFLAGS issue; the other items you mention I can
> > fix easily. If nobody else finds anything further, I'll re-upload once I've
> > fixed those identified so far.
> >
> OK, I reckon I've fixed the issues thus identified and have re-uploaded. I'd 
> appreciate it if people could take another look.
> [...]
> http://mentors.debian.net/debian/pool/main/i/isomaster/isomaster_0.8-1.dsc

I was almost complaining that the .orig.tar is still not original, but
then I realized your upstream changed (without changing the version or
the filename) and your current .orig.tar is indeed the same as the
current upstream .tar.

Some things left to do:

1) While the main directory now builds with -g, the subdirectories still
   do not. (And not with -O2 (resp. -O0 when noopt is given in DEB_BUILD_OPTIONS))

2) There is a little security bug when extracing:
   If an .iso contains a symlink and a file of same name in that
   directory, extracting will write that file to where the symlink is.
   (To test: create with isomaster a image containing a directory
    harmless, in which a symlink foobar to ../.ssh/authorized_keys is
    and a file foobaz which contains some data. Save it and edit the
    generated .iso file to rename foobaz in foobar. Then open the
    image with isomaster and tell it to extract the harmless directory
    out of it. There is some question, but that does not look very
    dangerous to answer yes to for non-paranoid people).
   This is a minor problem as I doubt much people will use it to extract
   things from .iso files they get from untrusted sources. But I think
   it should be fixed nevertheless before putting it in Debian.

Hochachtungsvoll,
	Bernhard R. Link

P.S: some minor bugs you could tell upstream:
        
- clicking on extract while nothing is selected gives:
   (isomaster:12327): Gtk-CRITICAL **: gtk_widget_destroy: assertion `GTK_IS_WIDGET (widget)' failed
- it's quite verbose on stdout by default when saving images
- it should warn against creating directories called . or .. in the iso

Reply to:

Follow-Ups:
- Re: RFS: isomaster
  - From: David Johnson <dj@david-web.co.uk>

References:
- Re: RFS: isomaster
  - From: David Johnson <dj@david-web.co.uk>
- Re: RFS: isomaster
  - From: David Johnson <dj@david-web.co.uk>

Prev by Date: Re: RFS: chatplus
Next by Date: RFS: libtie-cache-perl 0.17-3 LRU cache in memory.
Previous by thread: Re: RFS: isomaster
Next by thread: Re: RFS: isomaster
Index(es):
- Date
- Thread