Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Ximin Luo
infinity0 at debian.org
Thu Feb 9 23:10:00 UTC 2017
Chris Lamb:
> tags 854723 + pending
> thanks
>
>> diffoscope may write to arbitrary locations on disk depending on the contents
>> of an untrusted archive
>
> We can actually avoid all edge-cases of sanitisation by simply not using
> the supplied filename and maintaining our own mapping.
>
> Given this is both safer (and has far less code) I've gone ahead and committed
> that here:
>
> https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05
>
Thanks, this is better.
However this particular scheme might not work so well with large archives with lots and lots of members (>many thousands), depending on what filesystem the tempdir contained in. I'd suggest to use names like $x/$y where $x = idx // 4096, $y = idx % 4096.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list