On Tue, Apr 10, 2007 at 08:39:25PM -0400, Jeremy Katz wrote: > On Tue, 2007-04-10 at 20:20 -0400, seth vidal wrote: > > On Wed, 2007-04-11 at 00:43 +0200, Hans-Peter Jansen wrote: > > > Am Dienstag, 10. April 2007 07:19 schrieb seth vidal: > > > > Tarball: > > > > http://linux.duke.edu/yum/download/3.0/yum-3.0.6.tar.gz > > > > > > Any specific reason, why the tarball contains all those CVS dirs, or just > > > escaped your notice? > > > > > It doesn't contain anymore than any other release of yum has. or do you > > mean in general, why do we leave the CVS dirs in place? and if so I'd > > say you might have a point. :) > > In fact, what about the following to add a 'make dist' target that does > an export off of the tag for the release?
This patch creates a /tmp file vulnerability for anybody making a build, where attacker can overrite arbitraary files owned by the person running the build. -- Michael _______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
