Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp

To: Jakub Wilk <jwilk@debian.org>, 754041@bugs.debian.org
Subject: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
From: David Kalnischkies <david@kalnischkies.de>
Date: Mon, 7 Jul 2014 23:32:50 +0200
Message-id: <[🔎] 20140707213250.GC30811@crossbow>
Reply-to: David Kalnischkies <david@kalnischkies.de>, 754041@bugs.debian.org
In-reply-to: <[🔎] 20140706214926.GA8271@jwilk.net>
References: <[🔎] 20140706214926.GA8271@jwilk.net>

On Sun, Jul 06, 2014 at 11:49:26PM +0200, Jakub Wilk wrote:
>  # apt-get build-dep nyancat

Even if we ignore security for a moment I am not a fan of this syntax as
it is too suprising for me. I think I would be happier if this would
always require a relative/absolute path rather than just a directory
name ala: apt-get build-dep ./nyancat

(aka: at least one / in the pkgname before a file lookup is attempt. And
a message like those for regex/glob if it matched anything)

This also 'solves' the security problem by letting the user decide how
secure she wants to be.

(I haven't looked at the code though, yet)


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
  - From: Jakub Wilk <jwilk@debian.org>

References:
- Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Processed: Re: Bug#753941: libapt-pkg4.12: segfaults at debListParser::NewVersion
Next by Date: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
Previous by thread: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
Next by thread: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
Index(es):
- Date
- Thread