On Thu, Jun 09, 2005 at 07:17:31PM +0200, Ralf S. Engelschall wrote: > On Thu, Jun 09, 2005, Michael Schloh von Bennewitz wrote: >> The bootstrap package must be corrected to stop a medium grade security >> flaw (CAN-2005-1228). In the bootstrap package, patch(1) is built after >> gzip(1). The problem lies in the source gzip.c, which must be corrected >> with patch(1). How would you the architect, like the solution to be? >> >> 1 OpenPKG dependency to patch(1). (complicated for slim systems) >> > Not possible at all. The "openpkg" package cannot have any dependencies > as it is the root in the dependency chain because of bootstrapping > reasons. > Sure it is, just as the "openpkg" package has a dependency to tar(1), it can have a dependency to patch(1). But it is maybe the worst of all choices, so let's forget about it to begin with.
>> 2 Build gzip(1) twice when bootstrapping. (costs 30 seconds more)
>>
> Hmmm... how should this be done? Is the security flaw in gzip not
> a run-time problem? How should building it twice work? What if the
> security issue is already exploited between the first and the second
> build?
>
Yes, it is a runtime problem. You are right that inbetween the first
gzip build and the second gzip build somebody could reach into the
$TMP/openpkg-<date>-<date>/gzip-%{version}/gzip and use it unsafely.
This timeframe is about 20 seconds, however. After that, gzip can be
patched and a new gzip(1) built that replaces the defective one.
>> 3 Embed the entire corrected 54Kb gzip.c. (increases maintenance)
>>
> This would be the best approach for the 2.2 and 2.3 "openpkg" packages
> IMHO. Go for this option, please.
>
Okay.
--
Michael Schloh von Bennewitz <[EMAIL PROTECTED]>
Software Engineer Development, Spacenet AG
Joseph-Dollinger-Bogen 14, D-80807 Muenchen
pgpYKSwzv71r6.pgp
Description: PGP signature
