Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Ximin Luo
infinity0 at debian.org
Thu Feb 9 23:14:00 UTC 2017
Ximin Luo:
> Chris Lamb:
>> tags 854723 + pending
>> thanks
>>
>>> diffoscope may write to arbitrary locations on disk depending on the contents
>>> of an untrusted archive
>>
>> We can actually avoid all edge-cases of sanitisation by simply not using
>> the supplied filename and maintaining our own mapping.
>>
>> Given this is both safer (and has far less code) I've gone ahead and committed
>> that here:
>>
>> https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05
>>
>
> Thanks, this is better.
>
> However this particular scheme might not work so well with large archives with lots and lots of members (>many thousands), depending on what filesystem the tempdir contained in. I'd suggest to use names like $x/$y where $x = idx // 4096, $y = idx % 4096.
>
Also, are you sure this doesn't interfere with the detection of order-only differences, or the ability to match up similar-member-names?
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list