[pacman-dev] [PATCH 0/5][RFC] Die delta, die!
Morten Linderud
foxboron at archlinux.org
Thu Oct 17 14:59:00 UTC 2019
On Sat, Mar 02, 2019 at 08:19:11PM +1000, Allan McRae wrote:
> Deltas are broken. So much so that I would strongly recommend never
> using a delta from a repo that you did not generate yourself. In short,
> we call "system(command)", with a command that includes the name of
> a delta file, and the name of the package file before and after applying
> the delta. The name of the delta and the package files is controlled by
> the information in the repo, and could contain a malicious command to be
> run as root.
>
> We could possibly work around this, but it is a very risky piece of code
> and I believe it would be very hard to fully secure. Instead, I propose
> to remove delta support completely.
This issue was assigned CVE-2019-18183.
https://security.archlinux.org/CVE-2019-18183
--
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20191017/9808b14a/attachment.sig>
More information about the pacman-dev
mailing list