[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#361740: liblua50-dev: symlink pointing to .

On Sun, Apr 09, 2006 at 06:23:00PM -0700, Russ Allbery wrote:
> Justin Pryzby <justinpryzby@users.sourceforge.net> writes:
> > On Sun, Apr 09, 2006 at 05:54:03PM -0700, Russ Allbery wrote:
> >> Does grep -r follow symlinks?  That sounds kind of dangerous.
> > It does, I just checked.  I'm not sure why it's dangerous, xargs in
> > /tmp/ is dumb, and anywhere else you control and should be safe..
> Well, because of exactly this.  Symlinks that create circular directory
> structures are extremely common.  Not dangerous in the security
> vulnerability sense, dangerous in the "this may not do what you expect and
> be very slow and annoying while not doing it" sense.
> > There is exactly one header file, and IMO packages should care enough
> > about their dependencies to not do silly things to get a single file
> > included.
> It smells like a transitional measure, but I don't know for sure.  I see
> that it was intentional:
>  lua50  (5.0.2-3) unstable; urgency=low
>    * Fold in a patch from Reuben Thomas, integrating the signal and error
>      code from Fedora Core. Thanks Reuben.
>    * Lintian cleanups (recursive symlink stays, sorry)
>  -- Daniel Silverstone <dsilvers@debian.org>  Thu, 3 Jun 2004 14:35:00 -0300 
Damn, I looked for this and bet I saw it too, but ignored it because
it m/^Lintian/..

I can see that it wont go away easily, since there are ~50 depending
packages, any of which might be including strangely named files..

Reply to: