On Sat, Mar 02, 2019 at 08:19:11PM +1000, Allan McRae wrote:
Deltas are broken. So much so that I would strongly recommend never using a delta from a repo that you did not generate yourself. In short, we call "system(command)", with a command that includes the name of a delta file, and the name of the package file before and after applying the delta. The name of the delta and the package files is controlled by the information in the repo, and could contain a malicious command to be run as root.
We could possibly work around this, but it is a very risky piece of code and I believe it would be very hard to fully secure. Instead, I propose to remove delta support completely.
This issue was assigned CVE-2019-18183. https://security.archlinux.org/CVE-2019-18183 -- Morten Linderud PGP: 9C02FF419FECBE16