Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Chris Lamb
lamby at debian.org
Thu Feb 9 22:07:22 UTC 2017
tags 854723 + pending
thanks
> diffoscope may write to arbitrary locations on disk depending on the contents
> of an untrusted archive
We can actually avoid all edge-cases of sanitisation by simply not using
the supplied filename and maintaining our own mapping.
Given this is both safer (and has far less code) I've gone ahead and committed
that here:
https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
`-
More information about the Reproducible-builds
mailing list