On Fri, Feb 10, 2017 at 11:07:22AM +1300, Chris Lamb wrote:
> tags 854723 + pending
> thanks
>
> > diffoscope may write to arbitrary locations on disk depending on the
> > contents
> > of an untrusted archive
Please use CVE-2017-0359
Cheers,
Moritz
Ximin Luo wrote:
> this particular scheme might not work so well with large archives
> with lots and lots of members
Mm although unlikely to be a serious problem as we aren't iterating
over the directory.
> Also, are you sure this doesn't interfere with the detection of
> order-only
Ximin Luo:
> Chris Lamb:
>> tags 854723 + pending
>> thanks
>>
>>> diffoscope may write to arbitrary locations on disk depending on the
>>> contents
>>> of an untrusted archive
>>
>> We can actually avoid all edge-cases of sanitisation by simply not using
>> the supplied filename and maintaining
Chris Lamb:
> tags 854723 + pending
> thanks
>
>> diffoscope may write to arbitrary locations on disk depending on the contents
>> of an untrusted archive
>
> We can actually avoid all edge-cases of sanitisation by simply not using
> the supplied filename and maintaining our own mapping.
>
>
tags 854723 + pending
thanks
> diffoscope may write to arbitrary locations on disk depending on the contents
> of an untrusted archive
We can actually avoid all edge-cases of sanitisation by simply not using
the supplied filename and maintaining our own mapping.
Given this is both safer (and
Processing commands for cont...@bugs.debian.org:
> tags 854723 + pending
Bug #854723 [diffoscope] diffoscope writes to arbitrary locations on disk based
on the contents of an untrusted archive
Added tag(s) pending.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
Package: diffoscope
Version: 67
Severity: grave
Tags: patch security
Justification: user security hole
Dear Maintainer,
5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where
diffoscope may write to arbitrary locations on disk depending on the contents
of an untrusted archive.
