oss-sec mailing list archives
Re: Using quilt on untrusted RPM spec files
From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 22 Oct 2018 20:26:38 +0200
* Matthias Gerstner <mgerstner () suse de>, 2018-09-27, 17:59:
It turns out that running `quilt setup` on untrusted sources is not a good idea:
Debian largely avoids this problem by having a source package format with built-in patch system[0]. Most of the time the unpacked source package will have patches applied, so there's no need for the reviewer to run untrusted code to prepare the source.
(That said, dpkg-source had quite a few path traversal bugs in the past[1] and I have a hunch there's more to be found...)
While debian/rules can have optional "patch" target[2] (which is a bit like RPM's %prep), it felt to disuse these days. A developer wouldn't call "debian/rules patch" against a random not-yet-reviewed package, because it would be unusual to have this target implemented.
[0] https://manpages.debian.org/stretch/dpkg-dev/dpkg-source.1.en.html#Format:_3.0_%28quilt%29 [1] https://security-tracker.debian.org/tracker/source-package/dpkg [2] https://www.debian.org/doc/debian-policy/ch-source.html#main-building-script-debian-rules -- Jakub Wilk
Current thread:
- Re: Using quilt on untrusted RPM spec files Jakub Wilk (Oct 18)
- Re: Using quilt on untrusted RPM spec files Stuart D. Gathman (Oct 23)
- <Possible follow-ups>
- Re: Using quilt on untrusted RPM spec files Jakub Wilk (Oct 22)
- Re: Using quilt on untrusted RPM spec files Stuart D. Gathman (Oct 23)